On Apr 22, 2016, at 4:38 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura@nabiq.co.jp> wrote:
Thank you for reply. I changed check-eap-tls before ocsp as bellow
Order in the configuration files doesn't matter. Order *does* matter for "unlang", e.g. in authorize, authenticate, etc.
raddb/sites-enabled/check-eap-tls if ("%{TLS-Client-Cert-Common-Name}" =~ /^.*@domain\.com$/) { update config { &Auth-Type := Accept
You cannot do that. For one, it's "update control", not "update config". And you *cannot* just return "Accept" for EAP-TLS. The protocol is designed to make that impossible. i.e. the configuration file lets you do that, but the client will detect that the protocol is wrong, and stop doing EAP-TLS... and not get on the network.
but in this case ocsp never execute if check-eap-tls success. any ideas?
If you bypass all of EAP-TLS by forcing Access-Accept, then yes... the EAP-TLS checks will not be run. Alan DeKok.