Hi!
That doesn't work. You MUST return an EAP-Message attribute in the reply. Just sending an Access-Accept means that the NAS will *ignore* it, and close the connection.
I've removed the "Auth-Type := Accept" lines and keep the "ok" line. so it looks this way # EAP didn't work if (EAP-Type == "NAK") { update control { MACAU-Reason := "unsupported EAP typ --> Client misconfiguration" } } else { update control { MACAU-Reason := "certificate invalid (e.g. revoked/expired)" } } ok which leads to this Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK") Tue May 28 09:49:44 2013 : Info: ? Evaluating (EAP-Type == "NAK") -> FALSE Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK") -> FALSE Tue May 28 09:49:44 2013 : Info: +++- entering else else {...} Tue May 28 09:49:44 2013 : Info: ++++[control] returns invalid Tue May 28 09:49:44 2013 : Info: +++- else else returns invalid Tue May 28 09:49:44 2013 : Info: ++- else else returns invalid Tue May 28 09:49:44 2013 : Info: Failed to authenticate the user. Tue May 28 09:49:44 2013 : Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [host/xxxxxxxx/<via Auth-Type = EAP>] (from client xxxxxxxxxxx port 1015 cli xxxxxxxxxxxx) Tue May 28 09:49:44 2013 : Info: Using Post-Auth-Type Reject Tue May 28 09:49:44 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
And this kind of thing is generally not recommended, because the server isn't really designed to fail authentication, and then force a success. You should instead do as little as possible in the "authenticate" section. Just change the return code to "ok". Then do any policy setting (VLAN, etc.) in post-auth.
But I can't change a Reject to Accept in Post-Auth .. at least that's what I read. Can you show me what I should to? I don't need to change VLANs .. just need an accept, the VLAN is already correct (set in authorize already as it's the same as for MAC authentication) Robert