Integration with CISCO Router for PEAP requests
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Aug 31 10:43:27 CEST 2012
*sigh*
You cannot do what you want. Even if you send an Access-Accept, the client will most likely disconnect of its own accord, because you cannot fake a success message in the inner tunnel. Unless of course you're using some weird funky cisco client that ignores all the standards.
If you really don't believe us, try it for yourself:
Post-Auth {
Post-Auth-Type REJECT {
if("%{reply:EAP-Message}" =~ /0x04([0-9a-f]{2}).*/i){
update reply {
EAP-Message := "0x03%{1}0004"
}
}
update control {
Response-Packet-Type := Access-Accept
}
}
}
Note: Modifying Repost-Packet-Type that may not be supported in future versions.
-Arran
On 30 Aug 2012, at 17:52, Andras Ionut <ionut.andras at gmail.com> wrote:
> Hi Phil,
>
> Sorry if this looks dump for you.
>
> I've read your post the reason I've explicitely asked how to do this in PEAP is because in the post it says:
> "This only works for PAP, and does NOT work for EAP-TLS, CHAP, MSCHAP, or WIMAX authentication."
>
> Now, I especially need to send Access-Accept for PEAP with inner EAP-MSCHAPv2, and I also I don't use MyQL to select the users.
> I've also tried to set Access-Accept as any other AVP from my Freeradius module, but doesn't work. (extract from log attached)
>
> Can you please help?
>
> Thanks in advance.
> Andras
>
>
>
>
>
> On 30/08/12 15:11, Andras Ionut wrote:
> > Hi Phil,
> >
> > Thanks a lot for the quick response.
> >
> > I need this for PEAP with EAP protocol inside the tunnel, like EAP-MSCHAPv2.
> >
> > Again, The device MUST reject the connection as EAP is not completed,
> > but the ROUTER needs that Access-Accept,
> > in order to be able to redirect user to portal.
> >
> > Can this be done?
>
> The technique to do this is described in the FAQ entry I linked. Did you
> read it?
>
> <radius.txt>-
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list