If block in authenticate statement

Fri Nov 6 15:42:02 CET 2015

On Nov 5, 2015, at 7:20 PM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
>  I'm doing something off-piste again probably.
> Can I get away with doing an if statement within the mschap auth block?

  Yes.

> I'm trying to allow peap-eap-mschap inner tunnel auth on certain ssids only; without the if statement, it works ok, but when I check against a control variable containing SSID, it produces this :
> 
> mschap:    --> --nt-response=10fe5a0664f0f3debffdcd61b60865947601331bdefef81c
> (9) mschap: Program returned code (0) and output 'NT_KEY: CD7018318BC2359E8A362E0557384BEC'
> (9) mschap: Adding MS-CHAPv2 MPPE keys
> (9)       [mschap] = ok
> (9)       if (!ok) {
> (9)       if (!ok)  -> FALSE
> (9)     } # if (( control:SSID == "A_WiFi" ) || ( control:SSID == "Another_WiFi" ))  = ok
> (9)   } # Auth-Type MS-CHAP = noop

  That's the issue.  You can fix it by listing "ok" as the last module in the block which should return "ok".

  But as a larger issue... why are you doing these checks in the authenticate section?  You should be doing most of them in the "authorize" section.  You want to reject users as early in the process as possible.

authorize {
	...
	if (( control:SSID != "A_WiFi" ) && ( control:SSID != "Another_WiFi" )) {
		reject
	}
	...

}

  And why are you updating Debug-RejectInformation?  Why not just use Module-Failure-Message directly?  So the authenticate section can then look like this:

authenticate {
	...
	Auth-Type MS-CHAP {
		mschap
	}
	...
}

  If you need to see why a request was rejected, use Post-Auth-Type Reject:

post-auth {
	...
	Post-Auth-Type Reject {
		# Module-Failure-Message says why the user was rejected
	}
	...
}

  Much simpler.  Much easier to understand.

  Alan DeKok.