Thanks Phil, thats great works really well. It has set me thinking about a variation though, using EAP-Message would mean that it wouldn't run if it had been through the default only, such as EAP-TLS. Is there something else I could use which would indicate if inner-tunnel had been used? thanks, On Mon, Mar 7, 2011 at 11:08 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 07/03/11 10:10, paul smith wrote:
Is there some way I can tell the server not to run things in the default post-auth, if the request has been through the inner-tunnel?
I'm thinking putting something like the following in the default post-auth section
if (!proxy-reply:Packet-Type == "Access-Accept") { radius-user-auth }
How about:
post-auth { if (!EAP-Message) { ...the exec module } }
However this always evaluates as true, even though I can see the inner-tunnel authenticating successfully.
Inner tunnel is not proxying, so proxy-reply is always empty, hence evaluates to "true". Don't confusing proxying with EAP phases. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html