Question about outer identity
Martin Pauly
pauly at hrz.uni-marburg.de
Fri Jul 31 14:42:16 CEST 2009
Hi Alan,
> Replace the "ldap123" line in the "authorize" seciton with:
>
> if (!EAP-Message) {
> ldap123
> }
works great and is logical indeed -- thanks!
Just for myself and others try to learn from examples:
I had thought that
eap {
ok = return
}
would already do the trick when placed above ldap.
But actually, we have
++[eap] returns noop
in case of a non-EAP request -- not 'ok'.
The above statement catches up, only if
there _is_ an EAP request, but no need to bother
LDAP yet (ie during tunnel setup as the comment
suggests).
o.k. here's freeradius' output w/o EAP:
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 30
[files] expand: %{User-Name} -> Pauly
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> TRUE
++? if (!EAP-Message) -> TRUE
++- entering if (!EAP-Message) {...}
+++- entering policy ldap123 {...}
++++- entering redundant-load-balance group redundant-load-balance {...}
[ldap1] performing user authorization for Pauly
... and with EAP:
[files] users: Matched entry DEFAULT at line 30
[files] expand: %{User-Name} -> Pauly
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
--
Dr. Martin Pauly Fax: 49-6421-28-26994
HRZ Univ. Marburg Phone: 49-6421-28-23527
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
More information about the Freeradius-Users
mailing list