Matt Garretson wrote:
It works, but there are two non-ideal things about the way it works:
1) Windows XP doesn't seem to notice the rejection and keeps retrying for a minute or two, ultimately failing to show any failure/error message to the user.
You're sending a *radius* reject. It doesn't include an EAP-Message with an *EAP* reject. So you need to create a fake one: update reply { EAP-Message := 0x04010004 } That can work sometimes...
2) The rejection is not logged in radiusd.log; rather, three "Auth: Login OK" lines are logged (the repetition is due to XP's retries)
Put the "unlang" in the "authenticate" section, after "eap": Auth-Type eap { eap if (...) { ... } }
Is there any way I can address these two issues? I did try putting the above unlang into eap.conf's tls{} section (where check_cert_issuer and check_cert_cn would be), in hopes that the rejection would occur during the auth rather than after it, but the code doesn't seem to have any effect there.
Unlang doesn't go in module configuration sections. Alan DeKok.