EAP/TTLS + virtual_server woes
Alexander Clouter
alex at digriz.org.uk
Sat Oct 3 00:48:45 CEST 2009
Hi,
I was expecting a reply from you, what took you so long! :)
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk> wrote:
>
> So you have two issues:
> 1) Post-Auth REJECT isn't processed in the inner tunnel
>
> 2) Authenticate->EAP does not process additional statements after EAP
> has rejected the user.
>
> Regarding 1: I've discussed this with Alan before. Not running
> Post-Auth in the inner server probably is a bug. It's certainly not
> intuitive behavior. But you can work around it.
>
Good good, thought I was doing something wholly stupid.
> Regarding 2: Good news and bad news. Yes, that's normal, bug free
> behavior. Override the rcode for EAP not to be reject e.g.
>
Right, there I was strange then. I rejigged things....
> inner-eap {
> invalid = 1
> fail = 1
> reject = 1
> }
>
...and realised once I saw this bit I can lower the load on the LDAP
server by 90% with your advice. Should have remembered this trick
eariler, cheers :)
> Bad news, I believe there's a logic error with how rcodes propagate
> through unlang stanzas. You may find an If or Update statement
> rejecting the user at a later time. I reviewed the source code with
> Alan a while back and he said there'd probably be a fix in a later
> versions.
>
...and this explains the quirk I stumbled on with my rejigging.
I owe you a beer, tokens redeemable in April. :)
Cheers
--
Alexander Clouter
.sigmonster says: Life is difficult because it is non-linear.
More information about the Freeradius-Users
mailing list