Only run a single post-auth when using inner-tunnel
Phil Mayers
p.mayers at imperial.ac.uk
Mon Mar 7 14:19:01 CET 2011
On 07/03/11 12:18, paul smith wrote:
> Thanks Phil, thats great works really well.
>
> It has set me thinking about a variation though, using EAP-Message
> would mean that it wouldn't run if it had been through the default
> only, such as EAP-TLS.
> Is there something else I could use which would indicate if
> inner-tunnel had been used?
The only think I can think is to set a reply variable in the
inner-tunnel, then check for it in the outer tunnel:
raddb/sites-enabled/inner-tunnel:
post-auth {
update reply {
My-Var = "inner-tunnel"
}
the-exec
}
raddb/sites-enabled/default:
post-auth {
if (reply:My-Var == "inner-tunnel") {
}
else {
the-exec
}
}
raddb/dictionary:
ATTRIBUTE My-Var 3001 string
raddb/eap.conf:
eap {
...
peap {
...
use_tunneled_reply = yes
}
ttls {
...
use_tunneled_reply = yes
}
}
More information about the Freeradius-Users
mailing list