PEAP/MSCHAP doesn't run post-auth in inner-tunnel for reject?

Phil Mayers p.mayers at
Sat May 19 22:33:57 CEST 2012

Bruce Nunn <ironrake at> wrote:

>For my installations I've disabled the EAP cache to make things work
>better. Only a few users noticed. Does anyone know if the same thing
>happens In the 3.0 branch? I was planning to put one of my production
>servers on the 3.0 code this Summer.
>Alan DeKok <aland at> wrote:
>>Phil Mayers wrote:
>>> Am I being dumb / getting something wrong or does the post-auth
>>> not get called if PEAP/MSCHAP returns a reject?
>>> It seems to run for successful auths, but not failures.
>>  That is the case.
>>> This is in the context of us not seeing log messages for EAP auth
>>> failures; I suspect that the client may just "hang up" and let the
>>> session expire, and since the inner post-auth doesn't run, and the
>>> session expires, I have no logs.
>>  There was talk about getting it to do Post-Auth-Type Reject in the
>>inner tunnel.  No code yet, tho.
>>  Alan DeKok.
>>List info/subscribe/unsubscribe? See
>List info/subscribe/unsubscribe? See

Eap cache? If you're referring to session caching, that's a completely different issue. Cached session resumption by design doesn't run any inner tunnel including post-auth. You need to set Cached-Session-Policy in the inner-tunnel then match it on outer tunnel.
Sent from my phone. Please excuse brevity and typos.

More information about the Freeradius-Users mailing list