On 17 October 2017 at 13:26, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
...
Should be possible, just call eap in authorise with method override.
i.e.
authorize { eap
if (&control:Auth-Type == EAP) { eap.authenticate } }
I tried the next config, like you suggested authorize { eap if (&control:Auth-Type == EAP) { eap.authenticate } eap.authenticate if (ok) { debug_all update control { Proxy-To-Realm := 'testing-realm' } } } and got this in debug log server tls_only { (6) session-state: No cached attributes (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/tls_only (6) authorize { (6) update request { (6) Supplicant-User-Name := TLS-Client-Cert-Common-Name -> 'changed_1' (6) } # update request = noop (6) update config { (6) &Auth-Type := Accept (6) } # update config = noop (6) } # authorize = noop (6) Found Auth-Type = Accept (6) Auth-Type = Accept, accepting the user (6) } # server tls_only (6) Virtual server sending reply (6) eap_tls: caching TLS-Cert-Serial := "f4f7b543fa1eaa80" (6) eap_tls: caching TLS-Cert-Expiration := "370806185333Z" (6) eap_tls: caching TLS-Cert-Subject := "/CN=CHANGED" (6) eap_tls: caching TLS-Cert-Issuer := "/CN=CHANGED" (6) eap_tls: caching TLS-Cert-Common-Name := "CHANGED" (6) eap_tls: caching TLS-Client-Cert-Serial := "changed" (6) eap_tls: caching TLS-Client-Cert-Expiration := "271017150656Z" (6) eap_tls: caching TLS-Client-Cert-Subject := "/C=US/L=Secure Wi-Fi/O=example.com/CN=changed_1" (6) eap_tls: caching TLS-Client-Cert-Issuer := "/CN=changed" (6) eap_tls: caching TLS-Client-Cert-Common-Name := "changed_1" (6) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (6) eap: Sending EAP Success (code 3) ID 6 length 4 (6) eap: Freeing handler tls: Freeing cached session VPs (6) [eap.authenticate] = ok (6) } # if (&control:Auth-Type == EAP) = ok (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x8920cc6c8c26c12e (6) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (6) eap: Failed in handler (6) [eap.authenticate] = invalid (6) } # authorize = invalid (6) Using Post-Auth-Type Reject And also I tried delete Auth-Type what suggested by Alan DeKok
On 17 October 2017 at 17:50, Alan DeKok <aland@deployingradius.com> wrote:
Oh god... that might actually work.
You'd also have to delete the Auth-Type := EAP, too. And maybe add an "Auth-Type noop", with a "noop" thing there. Because the server really does expect to run an authenticate method.
authorize { eap if (&control:Auth-Type == EAP) { update control { Auth-Type !* ANY } eap.authenticate } eap.authenticate if (ok) { debug_all update control { Proxy-To-Realm := 'testing-realm' } } } This also not helped. What else can I try, Vladimir