Dnia 10 czerwca 2014 17:58 Alan DeKok <aland@deployingradius.com> napisaĆ(a):
gabriel_skupien wrote:
Hence, 3 questions: 1) Does FR v2.1.12 support post-auth section?
It should. But you should really also try 2.2.5, as 2.1.12 is four years out of date.
2) Can you explain the aim of "Sending Access-Challenge" ?
That's how the protocol works.
2) Where is the best place to authorize users in LDAP while using> EAP-TLS?
That depends on what you're doing.
Is it post-auth?
For you, yes.
ps. it works fine while authorizing users based on LDAP in the authorize section but we prefer to postpone this task to post-auth. In that way we can achieve to goals: -use ldap group membership for vlan assignments and -significantly reduce LDAP load
List "ldap.authorize" in the "post-auth" section.
Thanks Alan! That is working fine but.... I do not want to use "ldap.authorize", I would really prefer to use LDAP-Group - ideally in "switch" statement but it seems that it is not supported in FR 2.X. Bulk of if/else statements is also a bad idea because we use dozens of LDAP groups and that will for sure result with LDAP server overload. Any idea? ps. a pure "update reply" without "if" statements is also working, the problem was that I tried LEAP, when I switched to EAP-TLS it started to proces "update reply" section. Gabriel
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html