PEAP/MSCHAP doesn't run post-auth in inner-tunnel for reject?

alan buxey A.L.M.Buxey at
Sat May 19 13:37:57 CEST 2012


> > Am I being dumb / getting something wrong or does the post-auth session
> > not get called if PEAP/MSCHAP returns a reject?
> > 
> > It seems to run for successful auths, but not failures.
>   That is the case.
> > This is in the context of us not seeing log messages for EAP auth
> > failures; I suspect that the client may just "hang up" and let the EAP
> > session expire, and since the inner post-auth doesn't run, and the outer
> > session expires, I have no logs.
>   There was talk about getting it to do Post-Auth-Type Reject in the
> inner tunnel.  No code yet, tho.

interesting/useful - I was seeing exactly the same behaviour last week when setting
something up...thought I was going a bit mad and was going to post something
to this lst next week... failed PEAP/MSCHAP doesnt enter the post-auth reject
session whether its local or a remote (proxied) one. I did something else at the time
as a work-around but it would be good to have the failure code hit just as PAP
requests get


More information about the Freeradius-Users mailing list