Unlang in auth-type sections

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Feb 7 16:18:24 CET 2008


Hi,

EAP type module in autz sets Auth-Type to be EAP, allowing :

Auth-Type {
       eap
       ... unlang
}

But it appears the eap module releases the tunneled reply into the 
current reply list,
then everything skips to post-auth.

    #
    #  Allow EAP authentication.
    Auth-Type EAP {
        eap
        # Parse User-Name sent back from EAP-Tunnel
        if(ok && "%{reply:User-Name}"){
            update request {
                User-Name := "%{reply:User-Name}"
            }
            $INCLUDE  ${unlangdir}/uidrewrite.conf
        }
    }


auth: type "EAP"
+- entering group EAP
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [anonymous/<via Auth-Type = EAP>] (from client 
hp-e-its-dev8021x-sw1 port 1 cli 001b63a3a8dd)
+- entering group post-auth
++[reply] returns noop

Is this intentional ?

This is to do with logging with User-Names returned from the inner 
tunnel. It almost seems like this is something that belongs in the EAP 
module with an option to copy the User-Name from the tunnelled request 
to the  outer request  at the point the tunnelled reply is released.

But i'm not sure, still trying to reason out the best way to deal with 
inner/outer identities.

Thanks,
Arran

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900




More information about the Freeradius-Users mailing list