Question about outer identity

Martin Pauly pauly at hrz.uni-marburg.de
Fri Jul 31 14:42:16 CEST 2009


Hi Alan,
>   Replace the "ldap123" line in the "authorize" seciton with:
> 
> 	if (!EAP-Message) {
> 		ldap123
> 	}

works great and is logical indeed -- thanks!

Just for myself and others try to learn from examples:
I had thought that
         eap {
                 ok = return
         }
would already do the trick when placed above ldap.
But actually, we have
++[eap] returns noop
in case of a non-EAP request -- not 'ok'.
The above statement catches up, only if
there _is_ an EAP request, but no need to bother
LDAP yet (ie during tunnel setup as the comment
suggests).


o.k. here's freeradius' output w/o EAP:
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 30
[files]         expand: %{User-Name} -> Pauly
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> TRUE
++? if (!EAP-Message) -> TRUE
++- entering if (!EAP-Message) {...}
+++- entering policy ldap123 {...}
++++- entering redundant-load-balance group redundant-load-balance {...}
[ldap1] performing user authorization for Pauly

... and with EAP:
[files] users: Matched entry DEFAULT at line 30
[files]         expand: %{User-Name} -> Pauly
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity

-- 
   Dr. Martin Pauly     Fax:    49-6421-28-26994
   HRZ Univ. Marburg    Phone:  49-6421-28-23527
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg 




More information about the Freeradius-Users mailing list