Arran Cudbard-Bell <arran.cudbard-bell@hp.com> wrote:
On 1/17/2010 8:37 AM, Alexander Clouter wrote:
James J J Hooper<jjj.hooper@bristol.ac.uk> wrote:
In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth&& ensure the inner tunnel sets: reply:outer User-Name to request:inner User-Name and then key my VLAN computation (in outer post-auth) from reply:User-Name.
We have been doing authorisation depending on the outer layer since summer.
How did you get around the "my policy rejects you now, but i've already sent a tunneled success TLV in the TLS tunnel and you're now ignoring my EAP-Failure messages" issue... or are you just happily ignoring it/ encouraging adoption of TTLS-PAP like I was? :)
Probably as I do not use user *authorisation*... :P It's nuts to do user authorisation for network nodes, user authorisation lives further up the stack and should stay in the realm of layer 5 where it belongs. What I do though is let user authentication 'bootstrap' the host authentication, so you think of it that "I user xyz vouch that I am responsible for MAC address abc for the duration of my session"; with that in mind you can forget about user authorisation...which is just a plain nasty idea anyway. If yer interested, you can see what I'm doing more or less: http://stuff.digriz.org.uk/freeradius-public-20100101.tar.gz Been a few minor changes/cleanups since though so be gentle ;) Cheers -- Alexander Clouter .sigmonster says: Preserve Wildlife! Throw a party today!