Only run a single post-auth when using inner-tunnel
paul smith
paulsmth37 at googlemail.com
Tue Mar 8 00:54:12 CET 2011
Thats perfect, thanks phil, many thanks for the help.
On Mon, Mar 7, 2011 at 1:19 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 07/03/11 12:18, paul smith wrote:
>>
>> Thanks Phil, thats great works really well.
>>
>> It has set me thinking about a variation though, using EAP-Message
>> would mean that it wouldn't run if it had been through the default
>> only, such as EAP-TLS.
>> Is there something else I could use which would indicate if
>> inner-tunnel had been used?
>
> The only think I can think is to set a reply variable in the inner-tunnel,
> then check for it in the outer tunnel:
>
> raddb/sites-enabled/inner-tunnel:
>
> post-auth {
> update reply {
> My-Var = "inner-tunnel"
> }
> the-exec
> }
>
> raddb/sites-enabled/default:
>
> post-auth {
> if (reply:My-Var == "inner-tunnel") {
> }
> else {
> the-exec
> }
> }
>
> raddb/dictionary:
>
> ATTRIBUTE My-Var 3001 string
>
> raddb/eap.conf:
>
> eap {
> ...
> peap {
> ...
> use_tunneled_reply = yes
> }
> ttls {
> ...
> use_tunneled_reply = yes
> }
> }
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list