Thanks Alan and Matthew, that has got it going (after a long time looking at a stupid mistake I made!). On a reject I did get an error message detailed below. I changed the LDAP condition to check for a group called 'cheese', rather than my real LDAP group in order to force a rejection. This does reject but gives an EAP error. Is this just the normal way it drops out of the check-eap-tls virtual server? It certainly does what I want, but at the moment I'm treating red as something bad. Dave (44) if (Ldap-Group != "cheese") -> TRUE (44) if (Ldap-Group != "cheese") { (44) update config { (44) Auth-Type := Reject (44) } # update config = noop (44) } # if (Ldap-Group != "cheese") = noop (44) } # if ("%{User-Name}" =~ /^host\/(.*)\\.ad\\.kent\\.ac\\.uk$/i) = noop (44) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (44) auth_log : --> /var/log/radius/radacct/129.12.6.216/auth-detail-20160128 (44) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/129.12.6.216/auth-detail-20160128 (44) auth_log : EXPAND %t (44) auth_log : --> Thu Jan 28 16:29:23 2016 (44) [auth_log] = ok (44) } # authorize = ok (44) Found Auth-Type = Reject (44) Auth-Type = Reject, rejecting user (44) Failed to authenticate the user (44) Login incorrect: [host/LT7VISC18.ad.kent.ac.uk] (from client cwlc-cer port 2 cli 24:77:03:ac:c4:94 via TLS tunnel) (44) Using Post-Auth-Type Reject (44) Reply: (44) } # server check-eap-tls (44) eap_tls : Certificates were rejected by the virtual server SSL: Removing session 819d396e4ac42d139e27941979cef5340eeca0bba6ed20fb285ff3dd518d3d6f from the cache (44) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed (44) eap : Failed in EAP select (44) [eap] = invalid (44) } # authenticate = invalid (44) Failed to authenticate the user (44) Login incorrect (eap: Failed continuing EAP TLS (13) session. EAP sub-module failed) On 25/01/16 17:08, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
I'm struggling to find any documentation or examples on using the check_eap_tls module. It is a case of putting something in our local eduroam virtual server to punt TLS attempts off to this server? Where would you put that without breaking the EAP-PEAP authentication?
just call virtual_server = check-eap-tls in the TLS specific sub-section of eap
the original commit for this feature is:
https://github.com/mcnewton/freeradius-server/commit/fbee1e9b4ce93c15d0f074a...
peap and ttls have their own subsections so can be treated differently
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html