Ivan Kalik <tnt@kalik.net> wrote:
Okay, I munched over the source code and I'm guessing I'm being a crettin, but I'm hoping you can tell me what I'm doing wrong.
If you use the 'virtual_server' functionality in the ttls{} section of eap.conf, everything works great if you get an Access-Accept from the inner virtual server ('auth' for me). When I say "works great", I mean the 'post-auth' section of the EAP calling ('auth-eap') virtual server is munched through. However, if 'Access-Reject' is returned then 'post-auth' is not parsed and it bombs immediently back out to the to outer virtual server's ('dot1x') post-proxy section.
Try testing the reply:Packet-Type there. If it's Access-Reject do those updates.
That's the problem, I cannot test *anything* there. Even if I make the authenticate section: Auth-Type EAP { eap if ( .... ) { } } That 'if ()' block never gets checked. To me it looks like it should go into 'post-auth {}' and then nosey for a 'Post-Auth-Type Reject', but it does not do that either...annoyingly. Not the end of the world, but it would let me see which usernames are failing to login (as my logging occurs in 'dot1x' I only see there '@example.com' and get 'auth' and 'auth-eap' to pass up the User-Name to the outer virtual server). Cheers -- Alexander Clouter .sigmonster says: Do, or do not; there is no try.