2.1 to 2.2 update question

Alan DeKok aland at deployingradius.com
Mon Jan 18 14:48:07 CET 2016


On Jan 18, 2016, at 5:19 AM, PENZ Robert <ROBERT.PENZ at TIROL.GV.AT> wrote:
> We did check at which version the problem got introduced and found that 2.2.0 worked  2.2.1 did not anymore. The relevant config looks this way
> 
> authenticate {
> .....
>        Auth-Type EAP {
>            eap  {
>                handled = 1
>                invalid = 1
>            }
> 
>            if (ok) {

  Don't put policy into the "authenticate" section.  Put it into the "post-auth" section.  Thats the purpose of the post-auth section.

>                    if ("%{TLS-Client-Cert-Subject}" !~ /\/CN=%{sql:SELECT subject8021x FROM tdevices WHERE mac = '%{Calling-Station-Id}'}/i) {
>                        update control {
>                            MACAU-Reason := "Cert-Subject <%{TLS-Client-Cert-Subject}> entspricht nicht dem Hinterlegten --> Remediation Netz"
>                        }
>                        handled
> 
>                    }
>                    # hat das EAP worked, need to overright the vlan, depending on the switch type
>                    elsif ("%{reply:Tunnel-Private-Group-ID}") {
>                        update reply {
>                            Tunnel-Private-Group-ID := "%{sql:SELECT ..... "
>                        }

  Like this... there is no reason to assign the Tunnel-Private-Group-ID for *every single Access-Challenge* packet.  It's only needed in the Access-Accept packet.

  Alan DeKok.




More information about the Freeradius-Users mailing list