Norbert Wegener wrote:
... The client authenticates via a certificate. Everything works as expected. Nevertheless someone inspecting the switch logs found: ... and claimed, the Access-Challenge with Tunnel-Private-Group, Tunnel-Medium-Type etc. are not RFC compatible.
Yes.
I can see those values in radiusd -AX, too, but didn't care.
My question is: Is he right? If so: How would I have to change the configuration?
Ideally, the attributes in the reply should be sent ONLY on Access-Accept. i.e. the configuration should NOT update the reply until it has determined that the user has been authenticated. This involves moving most of the policy from the "authorize" section to the "post-auth" section.
In my sites-enabeld/default I have: ... # ldap1/2 set control:Huntgroup-Name.
redundant {
Which section? authorize? Alan DeKok.