Hi, I was expecting a reply from you, what took you so long! :) Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> wrote:
So you have two issues: 1) Post-Auth REJECT isn't processed in the inner tunnel
2) Authenticate->EAP does not process additional statements after EAP has rejected the user.
Regarding 1: I've discussed this with Alan before. Not running Post-Auth in the inner server probably is a bug. It's certainly not intuitive behavior. But you can work around it.
Good good, thought I was doing something wholly stupid.
Regarding 2: Good news and bad news. Yes, that's normal, bug free behavior. Override the rcode for EAP not to be reject e.g.
Right, there I was strange then. I rejigged things....
inner-eap { invalid = 1 fail = 1 reject = 1 }
...and realised once I saw this bit I can lower the load on the LDAP server by 90% with your advice. Should have remembered this trick eariler, cheers :)
Bad news, I believe there's a logic error with how rcodes propagate through unlang stanzas. You may find an If or Update statement rejecting the user at a later time. I reviewed the source code with Alan a while back and he said there'd probably be a fix in a later versions.
...and this explains the quirk I stumbled on with my rejigging. I owe you a beer, tokens redeemable in April. :) Cheers -- Alexander Clouter .sigmonster says: Life is difficult because it is non-linear.