EAP/TTLS + virtual_server woes
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Fri Oct 2 14:24:30 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So you have two issues:
1) Post-Auth REJECT isn't processed in the inner tunnel
2) Authenticate->EAP does not process additional statements after EAP has rejected the user.
Regarding 1: I've discussed this with Alan before. Not running Post-Auth in the inner server probably is a bug. It's certainly not intuitive behavior. But you can work around it.
Regarding 2: Good news and bad news. Yes, that's normal, bug free behavior. Override the rcode for EAP not to be reject e.g.
inner-eap {
invalid = 1
fail = 1
reject = 1
}
Bad news, I believe there's a logic error with how rcodes propagate through unlang stanzas. You may find an If or Update statement rejecting the user at a later time. I reviewed the source code with
Alan a while back and he said there'd probably be a fix in a later versions.
Arran
- --
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrF8P4ACgkQcaklux5oVKLYpACeJCKMKSri09e54jE4uxCjggmR
qcwAnjrt/+ZQ+FiegumyXqmCuxvcZtWB
=8emf
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list