Override EAP invalid result in authentication section
PENZ Robert
ROBERT.PENZ at TIROL.GV.AT
Mon May 27 15:50:30 CEST 2013
Hi!
I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not reject them to the guest VLAN. My config looks like this:
authorize {
....
# we don't know the MAC .... reject it to the guest net
if (!ok) {
update control {
MACAU-Reason := "MAC address not in DB"
}
reject
}
# if not 802.1x its only MAC auth
if (!EAP-Message) {
# mac has already been checked, accept (it gets into the remediation VLAN)
update control {
Auth-Type := Accept
MACAU-Reason := "only MAC, no 802.1x"
}
}
else {
# we're in the 802.1x path .... continued in the authenticate section
eap
}
....
}
authenticate {
....
Auth-Type EAP {
eap {
handled = 1
invalid = 1
}
if (ok) {
# update VLAN to production client network
# this part works perfectly
}
else {
# EAP didn't work
if (EAP-Type == "NAK") {
update control {
MACAU-Reason := "unsupported EAP typ --> Client misconfiguration"
Auth-Type := Accept
}
}
else {
update control {
MACAU-Reason := "certificate invalid (e.g. revoked/expired)"
Auth-Type := Accept
}
}
ok <----- does not work
}
I just need an accept here, the VLAN which will be returned is already the remediation VLAN (as it is the same as if the client uses only MAC authentication). Currently the client gets rejected if e.g. the certificate is expired as the client has not been in the network for some time. MACAU-Reason is logged to the DB in post-auth.
This is the log:
Mon May 27 15:17:55 2013 : Info: [tls] eaptls_process returned 4
Mon May 27 15:17:55 2013 : Info: [eap] Handler failed in EAP/tls
Mon May 27 15:17:55 2013 : Info: [eap] Failed in EAP select
Mon May 27 15:17:55 2013 : Info: ++[eap] returns invalid
Mon May 27 15:17:55 2013 : Info: ++? if (ok)
Mon May 27 15:17:55 2013 : Info: ? Evaluating (ok) -> FALSE
Mon May 27 15:17:55 2013 : Info: ++? if (ok) -> FALSE
Mon May 27 15:17:55 2013 : Info: ++- entering else else {...}
Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == "NAK")
Mon May 27 15:17:55 2013 : Info: ? Evaluating (EAP-Type == "NAK") -> FALSE
Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == "NAK") -> FALSE
Mon May 27 15:17:55 2013 : Info: +++- entering else else {...}
Mon May 27 15:17:55 2013 : Info: ++++[control] returns invalid
Mon May 27 15:17:55 2013 : Info: +++- else else returns invalid
Mon May 27 15:17:55 2013 : Info: ++- else else returns invalid
Mon May 27 15:17:55 2013 : Info: Failed to authenticate the user.
Mon May 27 15:17:55 2013 : Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [host/xxxxxxxxxxxxx/<via Auth-Type = Accept>] (from client xxxxxxxx port xxxx cli xxxxxxxxxxxxxxx)
Mon May 27 15:17:55 2013 : Info: Using Post-Auth-Type Reject
I hope someone can help me. Thx!
Mit freundlichen Grüßen
Robert Penz
--------------------------------------------------------------
Dipl.Inf. Robert Penz
DVT - Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 74 3355
E-Mail: robert.penz at tirol.gv.at
More information about the Freeradius-Users
mailing list