Only run a single post-auth when using inner-tunnel
paul smith
paulsmth37 at googlemail.com
Mon Mar 7 13:18:26 CET 2011
Thanks Phil, thats great works really well.
It has set me thinking about a variation though, using EAP-Message
would mean that it wouldn't run if it had been through the default
only, such as EAP-TLS.
Is there something else I could use which would indicate if
inner-tunnel had been used?
thanks,
On Mon, Mar 7, 2011 at 11:08 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 07/03/11 10:10, paul smith wrote:
>
>> Is there some way I can tell the server not to run things in the
>> default post-auth, if the request has been through the inner-tunnel?
>>
>> I'm thinking putting something like the following in the default
>> post-auth section
>>
>> if (!proxy-reply:Packet-Type == "Access-Accept") {
>> radius-user-auth
>> }
>
> How about:
>
> post-auth {
> if (!EAP-Message) {
> ...the exec module
> }
> }
>
>>
>> However this always evaluates as true, even though I can see the
>> inner-tunnel authenticating successfully.
>
> Inner tunnel is not proxying, so proxy-reply is always empty, hence
> evaluates to "true". Don't confusing proxying with EAP phases.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list