Hi,

  This may have come up before but I can’t find any solutions :

I’m using a NAS which always performs EAP/MSCHAP2 authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel fine.

When the radius returns an access-accept, it runs the stuff in the inner-tunnel post_auth section ok, and I can record the attributes I want to a mysql db, including a custom ldap attribute inserted into a control variable.

However it seems that following a reject, the post_auth reject section of inner-tunnel isn’t actually used, so it doesn’t record any info about the attributes in the sql database if I use an sql call.

Ok .. so do it in the default post_auth reject bit ok but I can’t figure how to pass back control variables to the outer tunnel. I’d imagine it should be similar to the description in the post auth reject section of the inner tunnel :

update outer.reply {

        User-Name = "%{request:User-Name}"

        }

But the section never gets called, so I tried putting it after the ldap authorization bit, as I can’t do it in the authentication part, or so I gather (no unlang support in there?).

In the below update, ldap-UserDescription is my custom attribute, which I can see from the logs is being populated :

 [ldap] description -> Ldap-UserDescription == "test ip phone"

Authorize {

..

..

ldap

                update outer.control {

               Ldap-UserDescription := "%{control:Ldap-UserDescription}"

                }

}

But again it doesn’t make it through (or am I doing it wrong?)

+- entering group REJECT {...}

        expand: %{control:Ldap-UserDescription} -> :

++[reply] returns noop

Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel.

Thanks for any help in advance!

Andy