Only run a single post-auth when using inner-tunnel
Hi, I have an exec script that I want to run when authenticating a user. The script takes in the username. I want to run the script both for PEAP authentications and PAP authentications. The problem I have is that if I put the exec in the inner-tunnel post-auth section it will work fine for the PEAP transactions, as it has the username. However if I also want to authenticate PAP, then I need to put it in the default post-auth. So it will work fine for PAP transactions as it has the username. However if its in the default, the script will be run for PEAP transactions with the wrong username (anonymous) and then will fail. Is there some way I can tell the server not to run things in the default post-auth, if the request has been through the inner-tunnel? I'm thinking putting something like the following in the default post-auth section if (!proxy-reply:Packet-Type == "Access-Accept") { radius-user-auth } However this always evaluates as true, even though I can see the inner-tunnel authenticating successfully. thanks, paul
On 07/03/11 10:10, paul smith wrote:
Is there some way I can tell the server not to run things in the default post-auth, if the request has been through the inner-tunnel?
I'm thinking putting something like the following in the default post-auth section
if (!proxy-reply:Packet-Type == "Access-Accept") { radius-user-auth }
How about: post-auth { if (!EAP-Message) { ...the exec module } }
However this always evaluates as true, even though I can see the inner-tunnel authenticating successfully.
Inner tunnel is not proxying, so proxy-reply is always empty, hence evaluates to "true". Don't confusing proxying with EAP phases.
Thanks Phil, thats great works really well. It has set me thinking about a variation though, using EAP-Message would mean that it wouldn't run if it had been through the default only, such as EAP-TLS. Is there something else I could use which would indicate if inner-tunnel had been used? thanks, On Mon, Mar 7, 2011 at 11:08 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 07/03/11 10:10, paul smith wrote:
Is there some way I can tell the server not to run things in the default post-auth, if the request has been through the inner-tunnel?
I'm thinking putting something like the following in the default post-auth section
if (!proxy-reply:Packet-Type == "Access-Accept") { radius-user-auth }
How about:
post-auth { if (!EAP-Message) { ...the exec module } }
However this always evaluates as true, even though I can see the inner-tunnel authenticating successfully.
Inner tunnel is not proxying, so proxy-reply is always empty, hence evaluates to "true". Don't confusing proxying with EAP phases. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07/03/11 12:18, paul smith wrote:
Thanks Phil, thats great works really well.
It has set me thinking about a variation though, using EAP-Message would mean that it wouldn't run if it had been through the default only, such as EAP-TLS. Is there something else I could use which would indicate if inner-tunnel had been used?
The only think I can think is to set a reply variable in the inner-tunnel, then check for it in the outer tunnel: raddb/sites-enabled/inner-tunnel: post-auth { update reply { My-Var = "inner-tunnel" } the-exec } raddb/sites-enabled/default: post-auth { if (reply:My-Var == "inner-tunnel") { } else { the-exec } } raddb/dictionary: ATTRIBUTE My-Var 3001 string raddb/eap.conf: eap { ... peap { ... use_tunneled_reply = yes } ttls { ... use_tunneled_reply = yes } }
Thats perfect, thanks phil, many thanks for the help. On Mon, Mar 7, 2011 at 1:19 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 07/03/11 12:18, paul smith wrote:
Thanks Phil, thats great works really well.
It has set me thinking about a variation though, using EAP-Message would mean that it wouldn't run if it had been through the default only, such as EAP-TLS. Is there something else I could use which would indicate if inner-tunnel had been used?
The only think I can think is to set a reply variable in the inner-tunnel, then check for it in the outer tunnel:
raddb/sites-enabled/inner-tunnel:
post-auth { update reply { My-Var = "inner-tunnel" } the-exec }
raddb/sites-enabled/default:
post-auth { if (reply:My-Var == "inner-tunnel") { } else { the-exec } }
raddb/dictionary:
ATTRIBUTE My-Var 3001 string
raddb/eap.conf:
eap { ... peap { ... use_tunneled_reply = yes } ttls { ... use_tunneled_reply = yes } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
paul smith -
Phil Mayers