Hi, EAP type module in autz sets Auth-Type to be EAP, allowing : Auth-Type { eap ... unlang } But it appears the eap module releases the tunneled reply into the current reply list, then everything skips to post-auth. # # Allow EAP authentication. Auth-Type EAP { eap # Parse User-Name sent back from EAP-Tunnel if(ok && "%{reply:User-Name}"){ update request { User-Name := "%{reply:User-Name}" } $INCLUDE ${unlangdir}/uidrewrite.conf } } auth: type "EAP" +- entering group EAP rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler ++[eap] returns ok Login OK: [anonymous/<via Auth-Type = EAP>] (from client hp-e-its-dev8021x-sw1 port 1 cli 001b63a3a8dd) +- entering group post-auth ++[reply] returns noop Is this intentional ? This is to do with logging with User-Names returned from the inner tunnel. It almost seems like this is something that belongs in the EAP module with an option to copy the User-Name from the tunnelled request to the outer request at the point the tunnelled reply is released. But i'm not sure, still trying to reason out the best way to deal with inner/outer identities. Thanks, Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Arran Cudbard-Bell wrote:
But it appears the eap module releases the tunneled reply into the current reply list, then everything skips to post-auth.
Hmm... yes. The intent of the "authenticate" section was to run *one* module, not to do more than that. The comments in raddb/sites-enabled/default explain that "unlang" rules *should* be run in the post-auth section, not the authenticate section.
# # Allow EAP authentication. Auth-Type EAP { eap
I suppost that the rule of "call one thing" in the authenticate section could be extended to allow unlang inside of an Auth-Type section.
Is this intentional ?
Yes. Alan DeKok.
participants (2)
-
Alan DeKok -
Arran Cudbard-Bell