Andy,
What version of FreeRadius are you using?
I *think* that unless you are using the git source  for 2.2.1, post-auth reject is broken. There was some stuff I was doing a few months ago that got fixed in 2.2.1 … but I'm getting old and can't remember all the details :-(


On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer <Andy.Franks@sath.nhs.uk> wrote:

Inner tunnel post auth question

Hi,

  This may have come up before but I can’t find any solutions :

I’m using a NAS which always performs EAP/MSCHAP2 authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel fine.

When the radius returns an access-accept, it runs the stuff in the inner-tunnel post_auth section ok, and I can record the attributes I want to a mysql db, including a custom ldap attribute inserted into a control variable.

However it seems that following a reject, the post_auth reject section of inner-tunnel isn’t actually used, so it doesn’t record any info about the attributes in the sql database if I use an sql call.

Ok .. so do it in the default post_auth reject bit ok but I can’t figure how to pass back control variables to the outer tunnel. I’d imagine it should be similar to the description in the post auth reject section of the inner tunnel :

update outer.reply {

        User-Name = "%{request:User-Name}"

        }


have u got 
use_tunneled_reply = yes
set up in eap.conf?

Rgds
Alex

But the section never gets called, so I tried putting it after the ldap authorization bit, as I can’t do it in the authentication part, or so I gather (no unlang support in there?).

In the below update, ldap-UserDescription is my custom attribute, which I can see from the logs is being populated :

 [ldap] description -> Ldap-UserDescription == "test ip phone"


Authorize {

..

..

ldap

                update outer.control {

               Ldap-UserDescription := "%{control:Ldap-UserDescription}"

                }

}

But again it doesn’t make it through (or am I doing it wrong?)


+- entering group REJECT {...}

        expand: %{control:Ldap-UserDescription} -> :

++[reply] returns noop


Am I being stupid? The best thing would be for the post_auth reject section in inner tunnel to run, but failing that I need to work out the control item passback to the outer tunnel.

Thanks for any help in advance!

Andy

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html