question about session resumption and reply attributes
Anatoli Logvinski
anatoli.logvinski at adelaide.edu.au
Fri May 22 08:11:21 CEST 2009
Thanks a lot guys, it's working properly now
Best regards
Anatoli
Arran Cudbard-Bell wrote:
> Hi,
>
>>> No. You should be running through your authorisation policies on
>>> session resumption. All policies should be moved to the post-auth
>>> section of the outer server.
>>>
>>>
>> but only the inner server knows the real id etc ?
>>
>>
> Yes, so have it tell the outer server... Insert the (attached) snippet
> into the authorize section of the inner server.
>
> There's an issue where outer.reply items aren't merged with the reply
> when doing EAP-TTLS-MSCHAPv2. So you still have to have
> 'use_tunneled_reply' set to yes.
>
> I believe the User-Name attribute in outer.reply is cached, and
> available for use on session resumption. So just:
>
> Auth-Type EAP {
> eap
> if(ok && "%{reply:User-Name}"){
> update request {
> User-Name := "%{reply:User-Name}"
> }
> }
> }
>
> Once you've got the policies moved to post-auth, then any scripts or
> lookups used for authorisation will only be run once, so far greater
> efficiency with complex policies. Rejects are still handled properly
> even within the Post-Auth section (jumps to Post-Auth-Type reject).
>
> Arran
>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list