Inner tunnel post auth question

Alex Sharaz alex.sharaz at york.ac.uk
Fri May 10 15:08:40 CEST 2013


Andy,
What version of FreeRadius are you using?
I *think* that unless you are using the git source  for 2.2.1, post-auth reject is broken. There was some stuff I was doing a few months ago that got fixed in 2.2.1 … but I'm getting old and can't remember all the details :-(


On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer <Andy.Franks at sath.nhs.uk> wrote:

> Hi,
> 
>   This may have come up before but I can’t find any solutions :
> 
> I’m using a NAS which always performs EAP/MSCHAP2 authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel – fine.
> 
> When the radius returns an access-accept, it runs the stuff in the inner-tunnel post_auth section ok, and I can record the attributes I want to a mysql db, including a custom ldap attribute inserted into a control variable.
> 
> However it seems that following a reject, the post_auth reject section of inner-tunnel isn’t actually used, so it doesn’t record any info about the attributes in the sql database if I use an sql call.
> 
> Ok .. so do it in the default post_auth reject bit – ok but I can’t figure how to pass back control variables to the outer tunnel. I’d imagine it should be similar to the description in the post auth reject section of the inner tunnel :
> 
> update outer.reply {
> 
>         User-Name = "%{request:User-Name}"
> 
>         }
> 
> 
have u got 
use_tunneled_reply = yes
set up in eap.conf?

Rgds
Alex

> But the section never gets called, so I tried putting it after the ldap authorization bit, as I can’t do it in the authentication part, or so I gather (no unlang support in there?).
> 
> In the below update, ldap-UserDescription is my custom attribute, which I can see from the logs is being populated :
> 
>  [ldap] description -> Ldap-UserDescription == "test ip phone"
> 
> 
> Authorize {
> 
> ..
> 
> ..
> 
> ldap
> 
>                 update outer.control {
> 
>                Ldap-UserDescription := "%{control:Ldap-UserDescription}"
> 
>                 }
> 
> }
> 
> But again it doesn’t make it through (or am I doing it wrong?)
> 
> 
> +- entering group REJECT {...}
> 
>         expand: %{control:Ldap-UserDescription} -> :
> 
> ++[reply] returns noop
> 
> 
> Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel.
> 
> Thanks for any help in advance!
> 
> Andy
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130510/53e65208/attachment.html>


More information about the Freeradius-Users mailing list