<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Andy,<div>What version of FreeRadius are you using?</div><div>I *think* that unless you are using the git source for 2.2.1, post-auth reject is broken. There was some stuff I was doing a few months ago that got fixed in 2.2.1 … but I'm getting old and can't remember all the details :-(</div><div><br></div><div><br><div><div>On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer <<a href="mailto:Andy.Franks@sath.nhs.uk">Andy.Franks@sath.nhs.uk</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="MS Exchange Server version 6.5.7638.1">
<title>Inner tunnel post auth question</title>
<div>
<!-- Converted from text/rtf format --><p dir="LTR"><span lang="en-gb"><font face="Calibri">Hi,</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> This may have come up before but I can</font></span><span lang="en-gb"><font face="Calibri">’t find any solutions :</font></span><span lang="en-gb"> </span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">I’m using a NAS which always</font></span><span lang="en-gb"> <font face="Calibri">performs</font></span><span lang="en-gb"><font face="Calibri"> EAP/MSCHAP2</font></span><span lang="en-gb"><font face="Calibri"> authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel</font></span><span lang="en-gb"> <font face="Calibri">–</font></span><span lang="en-gb"><font face="Calibri"> fine.</font></span><span lang="en-gb"></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">When the radius returns an access-accept, it runs the stuff in the</font></span><span lang="en-gb"> <font face="Calibri">inner-tunnel</font></span><span lang="en-gb"> <font face="Calibri">post_auth section ok, and I can record the attributes I want to a mysql db</font></span><span lang="en-gb"><font face="Calibri">, including a custom ldap attribute inserted into a control variable</font></span><span lang="en-gb"><font face="Calibri">.</font></span><span lang="en-gb"> </span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">However it seems that following a reject, the post_auth reject section of inner-tunnel isn</font></span><span lang="en-gb"><font face="Calibri">’t actually used, so it doesn’t record any info about the attributes in the sql database</font></span><span lang="en-gb"><font face="Calibri"> if I use an sql call</font></span><span lang="en-gb"><font face="Calibri">.</font></span><span lang="en-gb"></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">Ok .. so do it in the default post_auth reject bit</font></span><span lang="en-gb"> <font face="Calibri">–</font></span><span lang="en-gb"><font face="Calibri"> ok</font></span><span lang="en-gb"> <font face="Calibri">but I can’t figure how to pass back control variables to the outer tunnel. I’d imagine it should be</font></span><span lang="en-gb"> <font face="Calibri">similar to the description in the post auth reject section of the inner tunnel :</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">update outer.reply {</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> User-Name = "%{request:User-Name}"</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> </font></span><span lang="en-gb"> <font face="Calibri">}</font></span></p><div><br></div></div></blockquote><div>have u got </div><div>use_tunneled_reply = yes</div><div>set up in eap.conf?</div><div><br></div><div>Rgds</div><div>Alex</div><br><blockquote type="cite"><div><p dir="LTR"><span lang="en-gb"><font face="Calibri">But th</font></span><span lang="en-gb"><font face="Calibri">e</font></span><span lang="en-gb"><font face="Calibri"> section never gets called</font></span><span lang="en-gb"><font face="Calibri">, so I tried putting it after the ldap authorization bit</font></span><span lang="en-gb"><font face="Calibri">, as I can’t do it in the authentication part, or so I gather (no unlang support in there?)</font></span><span lang="en-gb"><font face="Calibri">.</font></span><span lang="en-gb"></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">In the below update,</font></span><span lang="en-gb"> <font face="Calibri">ldap-UserDescription is my custom attri</font></span><span lang="en-gb"><font face="Calibri">b</font></span><span lang="en-gb"><font face="Calibri">u</font></span><span lang="en-gb"><font face="Calibri">t</font></span><span lang="en-gb"><font face="Calibri">e, which</font></span><span lang="en-gb"> <font face="Calibri">I can see from the logs is being populated :</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> [ldap] description -> Ldap-UserDescription == "test ip phone"</font></span><span lang="en-gb"></span></p><div><span lang="en-gb"></span><br class="webkit-block-placeholder"></div><p dir="LTR"><span lang="en-gb"><font face="Calibri">Authorize {</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">..</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">..</font></span><span lang="en-gb"></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">ldap</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> update outer.control {</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> Ldap-UserDescription := "%{control:Ldap-UserDescription}"</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> }</font></span><span lang="en-gb"></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">}</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">But again it doesn’t make it through</font></span><span lang="en-gb"><font face="Calibri"> (or am I doing it wrong?)</font></span><span lang="en-gb"></span></p><div><span lang="en-gb"></span><br class="webkit-block-placeholder"></div><p dir="LTR"><span lang="en-gb"><font face="Calibri">+- entering group REJECT {...}</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri"> expand: %{control:Ldap-UserDescription} -></font></span><span lang="en-gb"> <font face="Calibri">:</font></span><span lang="en-gb"></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">++[reply] returns noop</font></span><span lang="en-gb"></span></p><div><span lang="en-gb"></span><br class="webkit-block-placeholder"></div><p dir="LTR"><span lang="en-gb"><font face="Calibri">Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel.</font></span><span lang="en-gb"></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">Thanks for any help in advance!</font></span></p><p dir="LTR"><span lang="en-gb"><font face="Calibri">Andy</font></span><span lang="en-gb"></span></p>
</div>
-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></blockquote></div><br></div></body></html>