On Jan 18, 2016, at 5:19 AM, PENZ Robert <ROBERT.PENZ@TIROL.GV.AT> wrote:
We did check at which version the problem got introduced and found that 2.2.0 worked 2.2.1 did not anymore. The relevant config looks this way
authenticate { ..... Auth-Type EAP { eap { handled = 1 invalid = 1 }
if (ok) {
Don't put policy into the "authenticate" section. Put it into the "post-auth" section. Thats the purpose of the post-auth section.
if ("%{TLS-Client-Cert-Subject}" !~ /\/CN=%{sql:SELECT subject8021x FROM tdevices WHERE mac = '%{Calling-Station-Id}'}/i) { update control { MACAU-Reason := "Cert-Subject <%{TLS-Client-Cert-Subject}> entspricht nicht dem Hinterlegten --> Remediation Netz" } handled
} # hat das EAP worked, need to overright the vlan, depending on the switch type elsif ("%{reply:Tunnel-Private-Group-ID}") { update reply { Tunnel-Private-Group-ID := "%{sql:SELECT ..... " }
Like this... there is no reason to assign the Tunnel-Private-Group-ID for *every single Access-Challenge* packet. It's only needed in the Access-Accept packet. Alan DeKok.