Alan DeKok schrieb:
jonr@destar.net wrote:
How do I set up a freeradius server so that if the password fails for the primary radius server it tries the secondary for the password.
In 2.0.1, you should be able to do:
authenticate { ... Auth-Type pap { pap if (reject) { update control { Proxy-To-Realm := "realm" } ok } } ... }
Should this kind of mechanism in 2.0.1 also be able to do something similar for eap? In case I have this debug output: Wed Feb 6 14:14:40 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_expired ^M Wed Feb 6 14:14:40 2008 : Error: TLS Alert write:fatal:certificate expired ^M Wed Feb 6 14:14:40 2008 : Error: TLS_accept:error in SSLv3 read client certificate B ^M Wed Feb 6 14:14:40 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned^M Wed Feb 6 14:14:40 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.^M Wed Feb 6 14:14:40 2008 : Debug: eaptls_process returned 13 ^M Wed Feb 6 14:14:40 2008 : Debug: rlm_eap: Freeing handler^M Wed Feb 6 14:14:40 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 9^M Wed Feb 6 14:14:40 2008 : Debug: ++[eap] returns reject^M I would like to send more information than simply "reject" to radpostauth, something like: Certificate error Auth-Type eap { eap if (reject) { update control { Module-Failure-Message := "Certificate error" } } reject } } and in radiusd.conf: Post-Auth = "INSERT INTO ${postauth_table} ....values (... '%{control:Module-Failure-Message}',.. ) This does not work for me. Is it expected to do what I want and I have a configuration error? Or is this not the right way to do this? If it should work: What's the fault here? Thanks Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html