PEAP/MSCHAP doesn't run post-auth in inner-tunnel for reject?
Bruce Nunn
ironrake at yahoo.com
Sat May 19 15:14:30 CEST 2012
For my installations I've disabled the EAP cache to make things work better. Only a few users noticed. Does anyone know if the same thing happens In the 3.0 branch? I was planning to put one of my production servers on the 3.0 code this Summer.
Alan DeKok <aland at deployingradius.com> wrote:
>Phil Mayers wrote:
>> Am I being dumb / getting something wrong or does the post-auth session
>> not get called if PEAP/MSCHAP returns a reject?
>>
>> It seems to run for successful auths, but not failures.
>
> That is the case.
>
>> This is in the context of us not seeing log messages for EAP auth
>> failures; I suspect that the client may just "hang up" and let the EAP
>> session expire, and since the inner post-auth doesn't run, and the outer
>> session expires, I have no logs.
>
> There was talk about getting it to do Post-Auth-Type Reject in the
>inner tunnel. No code yet, tho.
>
> Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list