Inner tunnel post auth question

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Fri May 10 14:53:16 CEST 2013 

Hi,
  This may have come up before but I can't find any solutions : 
I'm using a NAS which always performs EAP/MSCHAP2 authentication, so
I've stripped the sites-enabled/default right down to pretty much just
include the eap stuff for authorisation/authentication, and am doing all
the rest inside the inner tunnel - fine.
When the radius returns an access-accept, it runs the stuff in the
inner-tunnel post_auth section ok, and I can record the attributes I
want to a mysql db, including a custom ldap attribute inserted into a
control variable. 
However it seems that following a reject, the post_auth reject section
of inner-tunnel isn't actually used, so it doesn't record any info about
the attributes in the sql database if I use an sql call.
Ok .. so do it in the default post_auth reject bit - ok but I can't
figure how to pass back control variables to the outer tunnel. I'd
imagine it should be similar to the description in the post auth reject
section of the inner tunnel :

update outer.reply {
        User-Name = "%{request:User-Name}"
        }

But the section never gets called, so I tried putting it after the ldap
authorization bit, as I can't do it in the authentication part, or so I
gather (no unlang support in there?).
In the below update, ldap-UserDescription is my custom attribute, which
I can see from the logs is being populated :
 [ldap] description -> Ldap-UserDescription == "test ip phone"

Authorize {
..
..
ldap
                update outer.control {
               Ldap-UserDescription := "%{control:Ldap-UserDescription}"
                }
}

But again it doesn't make it through (or am I doing it wrong?)


+- entering group REJECT {...}
        expand: %{control:Ldap-UserDescription} -> :
++[reply] returns noop

Am I being stupid? The best thing would be for the post_auth reject
section in inner tunnel to run, but failing that I need to work out the
control item passback to the outer tunnel.
Thanks for any help in advance!
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130510/ec4040ce/attachment-0001.html>

More information about the Freeradius-Users mailing list