Setting final response attributes for EAP
Phil Mayers
p.mayers at imperial.ac.uk
Tue Sep 18 18:07:38 CEST 2012
On 18/09/12 14:16, Brian Candler wrote:
> When a user logs into a wireless AP, I would to include some per-user
> response attributes, in particular Acct-Interim-Interval = 600
>
> However freeradius -X shows that this isn't happening, and it appears to be
> because of the following stanza in the default config:
>
> # The example below uses module failover to avoid querying all
> # of the following modules if the EAP module returns "ok".
> # Therefore, your LDAP and/or SQL servers will not be queried
> # for the many packets that go back and forth to set up TTLS
> # or PEAP. The load on those servers will therefore be reduced.
> #
> eap {
> ok = return
> }
This is in the "authorize" section. EAP doesn't know, at this point,
that the packet will *be* the final one, because it hasn't processed it yet.
The EAP module does all it's work in the "authenticate" section. It
must, because it might need data added by previous modules in the
"authorize" section (e.g. passwords from LDAP, SQL, files, etc.)
>
> What's the recommended solution here? Is it possible to distinguish between
> the final EAP accept and the earlier Access-Challenge, so that just the
> final response does a database lookup for the required user response
> attributes?
Yes, in post-auth.
post-auth {
update reply {
...
}
}
Generally people will do this kind of thing in the inner-tunnel virtual
server and set "use_tunneled_reply = yes" to copy the attributed back.
You need to exercise caution if you're using session resumption here,
because resumed sessions don't use the inner-tunnel.
More information about the Freeradius-Users
mailing list