Updating Reply-Message in the inner-tunnel then reject-ing
Bob Franklin
rcf34 at cam.ac.uk
Tue Mar 9 10:51:11 CET 2010
Hello (again),
To aid debugging, I'm adding some Reply-Message values to upon rejection,
to indicate why we rejected it, in some obvious cases.
In the authorize stanza of the inner-tunnel virtual server, I can do:
update reply {
Reply-Message := '[cam.ac.uk] Inner identity in invalid format'
}
... this updates the Reply-Message in the inner-tunnel (so
'%{reply:Reply-Message}' returns this message) and appears to propagate
back out of the tunnel as '%{reply:Reply-Message}' is set to the same
thing outside it (i.e. back in the 'default' server), in the case of
intermediate challenges and the final 'Access-Accept'.
However, if I do this and then issue 'reject' to deny the login, the
Reply-Message doesn't seem to get out of the inner-tunnel and
'%{reply:Reply-Message}' outside it is empty. I've tried 'update
outer.reply { ... }' and that doesn't work, either. I presume it also
wouldn't get out to clients, either.
Is this a bug (this is 2.1.6) or am I doing this wrong?
- Bob
--
Bob Franklin <rcf34 at cam.ac.uk> +44 1223 748479
Network Division, University of Cambridge Computing Service
More information about the Freeradius-Users
mailing list