Override EAP invalid result in authentication section

Alan DeKok aland at deployingradius.com
Mon May 27 17:12:05 CEST 2013


PENZ Robert wrote:
> I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not reject them to the guest VLAN. My config looks like this:

  That will work only for wired authentication, and sometimes not even then

>                 # EAP didn't work
>                 if (EAP-Type == "NAK") {
>                     update control {
>                         MACAU-Reason := "unsupported EAP typ --> Client misconfiguration"
>                         Auth-Type := Accept

  That doesn't work.  You MUST return an EAP-Message attribute in the
reply.  Just sending an Access-Accept means that the NAS will *ignore*
it, and close the connection.

  And this kind of thing is generally not recommended, because the
server isn't really designed to fail authentication, and then force a
success.

  You should instead do as little as possible in the "authenticate"
section.  Just change the return code to "ok".

  Then do any policy setting (VLAN, etc.) in post-auth.

  Alan DeKok.


More information about the Freeradius-Users mailing list