Hi Grabriel, You are missing in your update reply Service-Type := "Framed-User" Are you following v1.x recipes? BTW, upgrade to 2.2.4 at least, 2.1.12 is very old, and full of bugs specially when using mschap. Regards
Message: 4 Date: Tue, 10 Jun 2014 17:50:17 +0200 From: gabriel_skupien <gabriel_skupien@o2.pl> To: freeradius-users@lists.freeradius.org Subject: post-auth section in FR v2.1.12 Message-ID: <5c9f5cb4.6195ba31.53972939.95a05@o2.pl> Content-Type: text/plain; charset="UTF-8"
I am using EAP-TLS and I am trying to use post-auth section to dynamically assign (based on the ldap group membership) vlan ID to the user. Leaving the LDAP part away for testing purposes and concentrating just on the post-auth section - I cannot make FR to override VLAN ID in post-auth section. Here is the config:
post-auth { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "36" } exec Post-Auth-Type REJECT { attr_filter.access_reject } }
And nothing happens here:
.... # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[reply] returns noop ++[exec] returns noop Sending Access-Challenge of id 127 to X.X.X.X port 32769 Tunnel-Private-Group-Id:0 = "36" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03040004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd55884fdd75c9555353e80afe21cb577 Finished request 6. .... But it finally ends with this: ..... Sending Access-Accept of id 128 to X.X.X.X port 32769 Tunnel-Private-Group-Id:0 = "84" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Cisco-AVPair += "XXX" EAP-Message = 0xXXXX Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "XXXX" Finished request 7.
Hence, 3 questions: 1) Does FR v2.1.12 support post-auth section? 2) Can you explain the aim of "Sending Access-Challenge" ? 2) Where is the best place to authorize users in LDAP while using EAP-TLS? Is it post-auth?
ps. it works fine while authorizing users based on LDAP in the authorize section but we prefer to postpone this task to post-auth. In that way we can achieve to goals: -use ldap group membership for vlan assignments and -significantly reduce LDAP load
jinx
H