Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Tue May 24 18:03:12 CEST 2011


Hi,
> On 24/05/11 15:23, Martin Goldstone wrote:
> 
> > Yes, I have this in both the peap stanza and the ttls stanza.  This
> > seems to be fine when access is accepted, for example if I set a
> > Reply-Message saying "Welcome" in the post-auth section of the
> > inner-tunnel config, I see this in the final access-accept message.
> > Also, the output from freeradius -X suggests that (in the case of a user
> > rejection) it gets the reply from the tunnel and that tunneled
> 
> Ah, damn...
> 
> I've just remembered - the PEAP code doesn't save the attributes on 
> reject :o(
> 
> As you mentioned in your original email, the outer tunnel code doesn't 
> have any of the "useful" info so can only set a generic message.

....For EAP methods with tunneled authentication sessions (i.e. PEAP and EAP-TTLS), the inner tunnel session can also reference "outer.request", "outer.reply", and "outer.control". Those references allow you to address the relevant list in the outer tunnel session.


so, in inner-tunnel post-auth, set "outer.reply" to be whatever you want..
you can then, in the outer layer, query/check or use that reply.

alan



More information about the Freeradius-Users mailing list