EAP authentication accept, user not found

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Sep 26 17:53:34 CEST 2011


On 26 Sep 2011, at 17:27, andreapepa wrote:

> http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log 
> 
> In the attached file the complete log, didn't noticed before that the
> process was so long..

A notfound return code in the authorize section means continue with a priority of 1.

The EAP module runs after the SQL module and returns handled. A handled return code in the authorize section means return and so the notfound return code is never processed.

If you want the server to stop processing the request if the user isn't found in the SQL database, rewrite the notfound return code to reject.

sql {
	notfound = reject
}

Unfortunately there's no way to signal the EAP module to send an EAP fail, so you have to do it manually...

Add the following to policy.conf

policy {
	eap_failure {
        	if(EAP-Message =~ /^..([0-9a-f]{2})/i){
        	        update reply {
           	             EAP-Message := "0x04%{1}0004"
             	   	}
        	}
	}
	...
}

The add a call in 

post-auth {
	post-auth-type REJECT {
		eap_failure
	}
}

That rewrites the EAP message returned with the reject to be a 'fail' with the correct ID field value. Extremely hacky, but it works, and is the only way to do it currently...

-Arran


Arran Cudbard-Bell
a.cudbardb at freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !





More information about the Freeradius-Users mailing list