<div dir="ltr">Hi Grabriel,<div><br></div><div>You are missing in your update reply <span style="color:rgb(76,47,45);font-family:Courier;font-size:15px;background-color:rgb(223,219,196)">Service-Type := "Framed-User"</span></div>
<div>Are you following v1.x recipes?</div><div><br></div><div>BTW, upgrade to 2.2.4 at least, 2.1.12 is very old, and full of bugs specially when using mschap.</div><div><br></div><div>Regards<br><div class="gmail_extra">
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Message: 4<br>
Date: Tue, 10 Jun 2014 17:50:17 +0200<br>
From: gabriel_skupien <<a href="mailto:gabriel_skupien@o2.pl">gabriel_skupien@o2.pl</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: post-auth section in FR v2.1.12<br>
Message-ID: <<a href="mailto:5c9f5cb4.6195ba31.53972939.95a05@o2.pl">5c9f5cb4.6195ba31.53972939.95a05@o2.pl</a>><br>
Content-Type: text/plain; charset="UTF-8"<br>
<br>
I am using EAP-TLS and I am trying to use post-auth section to dynamically<br>
assign (based on the ldap group membership) vlan ID to the user. Leaving<br>
the LDAP part away for testing purposes and concentrating just on the<br>
post-auth section - I cannot make FR to override VLAN ID in post-auth<br>
section. Here is the config:<br>
<br>
post-auth {<br>
update reply {<br>
Tunnel-Type := VLAN<br>
Tunnel-Medium-Type := IEEE-802<br>
Tunnel-Private-Group-Id := "36"<br>
}<br>
exec<br>
Post-Auth-Type REJECT {<br>
attr_filter.access_reject<br>
}<br>
}<br>
<br>
And nothing happens here:<br>
<br>
....<br>
# Executing section post-auth from file<br>
/etc/freeradius/sites-enabled/default<br>
+- entering group post-auth {...}<br>
++[reply] returns noop<br>
++[exec] returns noop<br>
Sending Access-Challenge of id 127 to X.X.X.X port 32769<br>
Tunnel-Private-Group-Id:0 = "36"<br>
Tunnel-Medium-Type:0 = IEEE-802<br>
Tunnel-Type:0 = VLAN<br>
EAP-Message = 0x03040004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xd55884fdd75c9555353e80afe21cb577<br>
Finished request 6.<br>
....<br>
But it finally ends with this:<br>
.....<br>
Sending Access-Accept of id 128 to X.X.X.X port 32769<br>
Tunnel-Private-Group-Id:0 = "84"<br>
Tunnel-Medium-Type:0 = IEEE-802<br>
Tunnel-Type:0 = VLAN<br>
Cisco-AVPair += "XXX"<br>
EAP-Message = 0xXXXX<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
User-Name = "XXXX"<br>
Finished request 7.<br>
<br>
Hence, 3 questions:<br>
1) Does FR v2.1.12 support post-auth section?<br>
2) Can you explain the aim of "Sending Access-Challenge" ?<br>
2) Where is the best place to authorize users in LDAP while using EAP-TLS?<br>
Is it post-auth?<br>
<br>
ps. it works fine while authorizing users based on LDAP in the authorize<br>
section but we prefer to postpone this task to post-auth. In that way we<br>
can achieve to goals:<br>
-use ldap group membership for vlan assignments and<br>
-significantly reduce LDAP load<br>
<br>
jinx<br>
<br>
H</blockquote></div></div></div></div>