Thanks a lot guys, it's working properly now Best regards Anatoli Arran Cudbard-Bell wrote:
Hi,
No. You should be running through your authorisation policies on session resumption. All policies should be moved to the post-auth section of the outer server.
but only the inner server knows the real id etc ?
Yes, so have it tell the outer server... Insert the (attached) snippet into the authorize section of the inner server.
There's an issue where outer.reply items aren't merged with the reply when doing EAP-TTLS-MSCHAPv2. So you still have to have 'use_tunneled_reply' set to yes.
I believe the User-Name attribute in outer.reply is cached, and available for use on session resumption. So just:
Auth-Type EAP { eap if(ok && "%{reply:User-Name}"){ update request { User-Name := "%{reply:User-Name}" } } }
Once you've got the policies moved to post-auth, then any scripts or lookups used for authorisation will only be run once, so far greater efficiency with complex policies. Rejects are still handled properly even within the Post-Auth section (jumps to Post-Auth-Type reject).
Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html