On 1/28/2011 3:48 AM, Alan DeKok wrote:
Put the "unlang" in the "authenticate" section, after "eap": Auth-Type eap { eap if (...) { ... } }
Thank you!! That did the trick. The entirety of my authenticate section is now: authenticate { Auth-Type Kerberos { krb5 } Auth-Type eap { eap if ( "%{TLS-Client-Cert-Subject}" =~ /\/OU=Evil\// ) { reject } } } And it works perfectly. Thank you! As for Windows XP dealing with the rejection....
You're sending a *radius* reject. It doesn't include an EAP-Message with an *EAP* reject. So you need to create a fake one: update reply { EAP-Message := 0x } That can work sometimes...
Ah, thanks for the tip. I added this in the "Post-Auth-Type REJECT" section: if ( "%{control:Auth-Type}" == "EAP" ) { update reply { EAP-Message := 0x04010004 } } The code seems to work as expected, but Windows XP still doesn't seem to handle it sensibly. But I can live with that. Thank you, Alan! -Matt