On Mon, Dec 26, 2011 at 9:44 PM, vazoumana fofana <zoumlander@hotmail.com> wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap) with : Auth-Type eap { if ( "%{TLS-Client-Cert-Subject}" =~ /OU=xxxxx/ ) { reject } }. Firstly, it s' written on "default" file : Please do not put "unlang" configurations into the "authenticate" # section. Put them in the "post-auth" section instead. That's what # the post-auth section is for. But, according to me , it's not right because i don't want to enter into post-auth. It must be rejected before.
Try authorize section. The usual method in authorize would be update control { Auth-Type := reject }
secondly,
with this configuration, i try to authenticate a client with certificate OU=xxxxx. According to mode debug, it seemed to work. Client (windows XP) requested 21 times without sucess. But at 22nd, it seemed authenticate sucessful because i see client which is associated to AP. after times (5-10 minutes), Client seemed to be detached and entered in authenticating loop until succeed authenticating.
what does the debug log say? Did FR send access-accept?
do you know why client success authenticating for a time ?
If FR send access-accept, look at debug log to see why it's accepting the request. If FR does NOT send access-accept, it's probably a bug in NAS.
Is it possible to avoid request of certain client ?
If they have a disctinct attribute (e.g. certificate, user-name, calling-station-id, whatever), you can just use unlang.
I restrict authentication request to chooser NAS. I want to avoid clients to enter loop authentication. But these client can request authentication through NAS choosen.
I have no idea what that means. Did you want to allow client A to login from NAS X, but reject it if it tries to login from NAS Y? If yes, try http://wiki.freeradius.org/Huntgroups or http://wiki.freeradius.org/SQL%20Huntgroup%20HOWTO -- Fajar