<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>Inner tunnel post auth question</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Hi,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> This may have come up before but I can</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">’t find any solutions :</FONT></SPAN><SPAN LANG="en-gb"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">I’m using a NAS which always</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">performs</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> EAP/MSCHAP2</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">–</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> fine.</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">When the radius returns an access-accept, it runs the stuff in the</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">inner-tunnel</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">post_auth section ok, and I can record the attributes I want to a mysql db</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, including a custom ldap attribute inserted into a control variable</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">.</FONT></SPAN><SPAN LANG="en-gb"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">However it seems that following a reject, the post_auth reject section of inner-tunnel isn</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">’t actually used, so it doesn’t record any info about the attributes in the sql database</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> if I use an sql call</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">.</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Ok .. so do it in the default post_auth reject bit</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">–</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> ok</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">but I can’t figure how to pass back control variables to the outer tunnel. I’d imagine it should be</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">similar to the description in the post auth reject section of the inner tunnel :</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">update outer.reply {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> User-Name = "%{request:User-Name}"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> </FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">But th</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">e</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> section never gets called</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, so I tried putting it after the ldap authorization bit</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, as I can’t do it in the authentication part, or so I gather (no unlang support in there?)</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">.</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">In the below update,</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">ldap-UserDescription is my custom attri</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">b</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">u</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">t</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">e, which</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">I can see from the logs is being populated :</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> [ldap] description -> Ldap-UserDescription == "test ip phone"</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Authorize {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">..</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">..</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">ldap</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> update outer.control {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> Ldap-UserDescription := "%{control:Ldap-UserDescription}"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> }</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">But again it doesn’t make it through</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> (or am I doing it wrong?)</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">+- entering group REJECT {...}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> expand: %{control:Ldap-UserDescription} -></FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">:</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">++[reply] returns noop</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel.</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Thanks for any help in advance!</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Andy</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
</BODY>
</HTML>