Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Tue May 24 18:03:12 CEST 2011
Hi,
> On 24/05/11 15:23, Martin Goldstone wrote:
>
> > Yes, I have this in both the peap stanza and the ttls stanza. This
> > seems to be fine when access is accepted, for example if I set a
> > Reply-Message saying "Welcome" in the post-auth section of the
> > inner-tunnel config, I see this in the final access-accept message.
> > Also, the output from freeradius -X suggests that (in the case of a user
> > rejection) it gets the reply from the tunnel and that tunneled
>
> Ah, damn...
>
> I've just remembered - the PEAP code doesn't save the attributes on
> reject :o(
>
> As you mentioned in your original email, the outer tunnel code doesn't
> have any of the "useful" info so can only set a generic message.
....For EAP methods with tunneled authentication sessions (i.e. PEAP and EAP-TTLS), the inner tunnel session can also reference "outer.request", "outer.reply", and "outer.control". Those references allow you to address the relevant list in the outer tunnel session.
so, in inner-tunnel post-auth, set "outer.reply" to be whatever you want..
you can then, in the outer layer, query/check or use that reply.
alan
More information about the Freeradius-Users
mailing list