Is there an easy well to determin in post-auth which authentication method was used to authenticate a user? We have a fairly complex setup where a user can be "authenticated" by MAC address in the Authorize section or via EAP-TLS or EAP-PEAP, both with their own virtual servers. In the outer post-auth I want to call a logging module that explicitly says how the user was authenticated but I can't find an attribute which I can reliably check. Thanks, Jonathan -- Jonathan Gazeley Senior Systems Administrator IT Services University of Bristol
On Mar 31, 2016, at 11:03 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
Is there an easy well to determin in post-auth which authentication method was used to authenticate a user?
control:Auth-Type. That works for the default authentication types.
We have a fairly complex setup where a user can be "authenticated" by MAC address in the Authorize section or via EAP-TLS or EAP-PEAP, both with their own virtual servers.
That's a bit different.
In the outer post-auth I want to call a logging module that explicitly says how the user was authenticated but I can't find an attribute which I can reliably check.
If you're manually authenticating users via MAC address in the "authorize" section, you MUST also manually track which authentication method they used. Alan DeKok.
On 31/03/16 16:07, Alan DeKok wrote:
On Mar 31, 2016, at 11:03 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
If you're manually authenticating users via MAC address in the "authorize" section, you MUST also manually track which authentication method they used.
In the policy we use for MAC "authentication" we already have: update control { Auth-Type := Accept } If one or other of the inner EAP servers authenticates a user, what will the value of Auth-Type be? Something other than "Accept"? Thanks, Jonathan -- Jonathan Gazeley Senior Systems Administrator IT Services University of Bristol
On Mar 31, 2016, at 11:10 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
In the policy we use for MAC "authentication" we already have:
update control { Auth-Type := Accept }
OK, that's good.
If one or other of the inner EAP servers authenticates a user, what will the value of Auth-Type be? Something other than "Accept"?
It will be EAP. You'll probably also want to track the inner Auth-Type, and also EAP-Type. Alan DeKok.
On Thu, Mar 31, 2016 at 04:03:15PM +0100, Jonathan Gazeley wrote:
In the outer post-auth I want to call a logging module that explicitly says how the user was authenticated but I can't find an attribute which I can reliably check.
control:Auth-Type control:EAP-Type or add your own attribute in the right places to save whatever you want (e.g. "MAC" or "EAP-PEAP" etc), as e.g. Auth-Type might not distinguish between mac auth or plain user/password auth depending on how you've configured things. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Jonathan Gazeley -
Matthew Newton