Only run a single post-auth when using inner-tunnel

paul smith paulsmth37 at
Mon Mar 7 11:10:01 CET 2011


I have an exec script that I want to run when authenticating a user.
The script takes in the username.

I want to run the script both for PEAP authentications and PAP authentications.

The problem I have is that if I put the exec in the inner-tunnel
post-auth section it will work fine for the PEAP transactions, as it
has the username.
However if I also want to authenticate PAP, then I need to put it in
the default post-auth. So it will work fine for PAP transactions as it
has the username.

However if its in the default, the script will be run for PEAP
transactions with the wrong username (anonymous) and then will fail.

Is there some way I can tell the server not to run things in the
default post-auth, if the request has been through the inner-tunnel?

I'm thinking putting something like the following in the default
post-auth section

	if (!proxy-reply:Packet-Type == "Access-Accept") {

However this always evaluates as true, even though I can see the
inner-tunnel authenticating successfully.



More information about the Freeradius-Users mailing list