Proxy EAP-TLS request after successful authorization with eap module

Tue Oct 17 18:06:28 CEST 2017

> On 17 October 2017 at 13:26, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
> ...
>
> Should be possible, just call eap in authorise with method override.
>
> i.e.
>
> authorize {
>         eap
>
>         if (&control:Auth-Type == EAP) {
>                 eap.authenticate
>         }
> }

I tried the next config, like you suggested

authorize {
    eap

    if (&control:Auth-Type == EAP) {
        eap.authenticate
    }

    eap.authenticate
    if (ok) {
        debug_all
        update control {
            Proxy-To-Realm := 'testing-realm'
        }
    }

}

and got this in debug log

 server tls_only {
(6)   session-state: No cached attributes
(6)   # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/tls_only
(6)     authorize {
(6)       update request {
(6)         Supplicant-User-Name := TLS-Client-Cert-Common-Name -> 'changed_1'
(6)       } # update request = noop
(6)       update config {
(6)         &Auth-Type := Accept
(6)       } # update config = noop
(6)     } # authorize = noop
(6)   Found Auth-Type = Accept
(6)   Auth-Type = Accept, accepting the user
(6) } # server tls_only
(6) Virtual server sending reply
(6) eap_tls:     caching TLS-Cert-Serial := "f4f7b543fa1eaa80"
(6) eap_tls:     caching TLS-Cert-Expiration := "370806185333Z"
(6) eap_tls:     caching TLS-Cert-Subject := "/CN=CHANGED"
(6) eap_tls:     caching TLS-Cert-Issuer := "/CN=CHANGED"
(6) eap_tls:     caching TLS-Cert-Common-Name := "CHANGED"
(6) eap_tls:     caching TLS-Client-Cert-Serial := "changed"
(6) eap_tls:     caching TLS-Client-Cert-Expiration := "271017150656Z"
(6) eap_tls:     caching TLS-Client-Cert-Subject := "/C=US/L=Secure
Wi-Fi/O=example.com/CN=changed_1"
(6) eap_tls:     caching TLS-Client-Cert-Issuer := "/CN=changed"
(6) eap_tls:     caching TLS-Client-Cert-Common-Name := "changed_1"
(6) eap_tls: Failed to find 'persist_dir' in TLS configuration.
Session will not be cached on disk.
(6) eap: Sending EAP Success (code 3) ID 6 length 4
(6) eap: Freeing handler
tls: Freeing cached session VPs
(6)       [eap.authenticate] = ok
(6)     } # if (&control:Auth-Type == EAP)  = ok
(6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x8920cc6c8c26c12e
(6) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(6) eap: Failed in handler
(6)     [eap.authenticate] = invalid
(6)   } # authorize = invalid
(6) Using Post-Auth-Type Reject

And also I tried delete Auth-Type what suggested by Alan DeKok

>   On 17 October 2017 at 17:50, Alan DeKok <aland at deployingradius.com> wrote:

>   Oh god... that might actually work.
>
>   You'd also have to delete the Auth-Type := EAP, too.  And maybe add an "Auth-Type noop", with a "noop" thing there.  Because the server really does expect to run an authenticate method.

authorize {
    eap

    if (&control:Auth-Type == EAP) {
        update control {
            Auth-Type  !* ANY
        }
        eap.authenticate
    }

    eap.authenticate
    if (ok) {
        debug_all
        update control {
            Proxy-To-Realm := 'testing-realm'
        }
    }

}

This also not helped. What else can I try,

Vladimir