On 17 October 2017 at 23:14, Alan DeKok <aland@deployingradius.com> wrote:
That's not what was suggested. It helps to have some understanding of how the server works.
I am sorry for that misunderstanding By looking on debug log I think eap module must set Auth-Type, and nothing can be executed after eap module. Is this correct? If I use this config authorize { eap if(ok) { debug_all } else { debug_all } } there is no debug_all output in log ---not set Auth-Type version of tls_only virtual site--- WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server tls_only { (6) session-state: No cached attributes (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/tls_only (6) authorize { (6) update reply { (6) &Auth-Type := Accept (6) } # update reply = noop (6) } # authorize = noop (6) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) Post-Auth-Type sub-section not found. Ignoring. (6) } # server tls_only (6) Virtual server sending reply (6) Auth-Type := Accept (6) eap_tls: Certificate rejected by the virtual server (6) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 6 length 4 (6) eap: Failed in EAP select --set Auth-Type version of tls_only virtual site:- WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server tls_only { (6) session-state: No cached attributes (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/tls_only (6) authorize { (6) update config { (6) &Auth-Type := Accept (6) } # update config = noop (6) } # authorize = noop (6) Found Auth-Type = Accept (6) Auth-Type = Accept, accepting the user (6) } # server tls_only (6) Virtual server sending reply (6) eap_tls: caching TLS-Cert-Serial := "f4f7b543fa1eaa80" (6) eap_tls: caching TLS-Cert-Expiration := "370806185333Z" (6) eap_tls: caching TLS-Cert-Subject := "/CN=CHANGED ca" (6) eap_tls: caching TLS-Cert-Issuer := "/CN=CHANGED ca" (6) eap_tls: caching TLS-Cert-Common-Name := "CHANGED ca" (6) eap_tls: caching TLS-Client-Cert-Serial := "9cd3e44502ae747b" (6) eap_tls: caching TLS-Client-Cert-Expiration := "271017150656Z" (6) eap_tls: caching TLS-Client-Cert-Subject := "/C=US/L=Some wifi Wi-Fi/O=example.com/CN=CHANGED" (6) eap_tls: caching TLS-Client-Cert-Issuer := "/CN=CHANGED ca" (6) eap_tls: caching TLS-Client-Cert-Common-Name := "CHANGED" (6) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (6) eap: Sending EAP Success (code 3) ID 6 length 4 (6) eap: Freeing handler tls: Freeing cached session VPs (6) [eap] = ok (6) } # authenticate = ok