Using Attributes to differentiate between different EAP types
Nathan McDavit-Van Fleet
nmcdavit at alcor.concordia.ca
Wed Sep 16 16:59:03 CEST 2009
I'm still not able to navigate through the values that the modules are
holding. Are there any other pointers in regards to finding where EAP-Type
is nested? I cannot figure out how to even access the EAP module from inside
inner-tunnel.
Regards,
Nathan Van Fleet
Telecommunications Analyst
Network Assessment and Integration
IITS Concordia University
(514) 848-2424 Extension:5434
> -----Original Message-----
> From: freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> Arran Cudbard-Bell
> Sent: Tuesday, September 15, 2009 4:18 PM
> To: FreeRadius users mailing list
> Subject: Re: Using Attributes to differentiate between different EAP types
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15/09/2009 20:57, Nathan McDavit-Van Fleet wrote:
> > Hrmm,
> >
> > Now that it's parsing I find that it doesn't work in terms of actually
> > evaluating the EAP-Type.
> >
> > For if (control.EAP-Type==21) and (outer.control.EAP-Type==21) I always
> get
> > a false even though I am testing for TTLS (21).
>
> Erm... What..
>
> if("%{control:EAP-Type}" == '21')
>
> if("%{outer.control:EAP-Type}" == '21')
>
> The list/attribute separator has always been a colon. Alan did some work
> to make naked variable expansion work, but I still generally stick to the
> double quoted curly braces consistency, or munging
> variables together.
>
> Don't worry about mixing types, the server just looks at the attribute
> type when doing conversions.
>
> >
> > Is there some way to just have the value thrown into the debug output so
> I
> > can see what it is at that moment?
> >
>
> Yes
>
> update request {
> Tmp-String-0 := "%{outer.control:EAP-Type}"
> }
>
>
> Pretty sure you'll also have to have the 'Proxy as EAP' option set in the
> outer tunnel to get the inner EAP type... Else just insert a policy at the
> end of the authorize{} section in the inner tunnel
> to look at control:Auth-Type...
>
> Oh and remember to include cases for Identity-Responses and NAKs else
> you'll break things in weird and interesting ways :)
>
> - -Arran
>
>
> >
> >> -----Original Message-----
> >> From: freeradius-users-
> >> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> >> [mailto:freeradius-users-
> >> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> >> Nathan McDavit-Van Fleet
> >> Sent: Tuesday, September 15, 2009 1:05 PM
> >> To: 'FreeRadius users mailing list'
> >> Subject: RE: Using Attributes to differentiate between different EAP
> types
> >>
> >> Okay,
> >>
> >> Probably everone but me knew this but"
> >> If(blah == blah2)
> >> {
> >>
> >> Doesn't work.
> >>
> >> You have to do
> >>
> >> If(blah == blah2) {
> >>
> >> So no returns for the first curly bracket or it won't parse out.
> >>
> >> Sorry,
> >>
> >> Nathan Van Fleet
> >>
> >>> -----Original Message-----
> >>> From: freeradius-users-
> >>> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> >>> [mailto:freeradius-users-
> >>> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> >>> Ivan Kalik
> >>> Sent: Tuesday, September 15, 2009 12:13 PM
> >>> To: FreeRadius users mailing list
> >>> Subject: RE: Using Attributes to differentiate between different EAP
> >> types
> >>>
> >>>> I'm trying the following code, I've tried most every variation
> >>>> ("request:EAP-Type", "request.EAP-Type","EAP-Type","outer.EAP-Type".)
> >>> but
> >>>> freeradius does not even parse the configuration. I've tried %{} and
> >>> just
> >>>> the bare variables (which works for "outer.NAS-IP-Address").
> >>>
> >>> It's the internal attribute (for local server use), so it should be on
> >> the
> >>> control list (control.EAP-Type).
> >>>
> >>> Ivan Kalik
> >>> Kalik Informatika ISP
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> - --
> Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
> Systems Administrator (AAA),
> Infrastructure Services (IT Services),
> E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
> DDI+FAX: +44 1273 873900 | INT: 3900
> GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqv9mIACgkQcaklux5oVKL1RQCaA+QcE47BGJVD/8QbIaRGmguN
> dpcAn1MC+D/xzXKhfxJUcIjwQewl360d
> =Kh5N
> -----END PGP SIGNATURE-----
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list