Override EAP invalid result in authentication section
Alan DeKok
aland at deployingradius.com
Mon May 27 17:12:05 CEST 2013
PENZ Robert wrote:
> I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not reject them to the guest VLAN. My config looks like this:
That will work only for wired authentication, and sometimes not even then
> # EAP didn't work
> if (EAP-Type == "NAK") {
> update control {
> MACAU-Reason := "unsupported EAP typ --> Client misconfiguration"
> Auth-Type := Accept
That doesn't work. You MUST return an EAP-Message attribute in the
reply. Just sending an Access-Accept means that the NAS will *ignore*
it, and close the connection.
And this kind of thing is generally not recommended, because the
server isn't really designed to fail authentication, and then force a
success.
You should instead do as little as possible in the "authenticate"
section. Just change the return code to "ok".
Then do any policy setting (VLAN, etc.) in post-auth.
Alan DeKok.
More information about the Freeradius-Users
mailing list