PEAP/MSCHAP doesn't run post-auth in inner-tunnel for reject?

Bruce Nunn ironrake at
Sat May 19 15:14:30 CEST 2012

For my installations I've disabled the EAP cache to make things work better. Only a few users noticed. Does anyone know if the same thing happens In the 3.0 branch? I was planning to put one of my production servers on the 3.0 code this Summer.

Alan DeKok <aland at> wrote:

>Phil Mayers wrote:
>> Am I being dumb / getting something wrong or does the post-auth session
>> not get called if PEAP/MSCHAP returns a reject?
>> It seems to run for successful auths, but not failures.
>  That is the case.
>> This is in the context of us not seeing log messages for EAP auth
>> failures; I suspect that the client may just "hang up" and let the EAP
>> session expire, and since the inner post-auth doesn't run, and the outer
>> session expires, I have no logs.
>  There was talk about getting it to do Post-Auth-Type Reject in the
>inner tunnel.  No code yet, tho.
>  Alan DeKok.
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list