AW: Override EAP invalid result in authentication section

PENZ Robert ROBERT.PENZ at TIROL.GV.AT
Tue May 28 10:06:58 CEST 2013


Hi!

>  That doesn't work.  You MUST return an EAP-Message attribute in the
> reply.  Just sending an Access-Accept means that the NAS will *ignore*
> it, and close the connection.

I've removed the "Auth-Type := Accept" lines and keep the "ok" line. so it looks this way

                # EAP didn't work
                if (EAP-Type == "NAK") {
                    update control {
                        MACAU-Reason := "unsupported EAP typ --> Client misconfiguration"
                    }
                }
                else {
                    update control {
                        MACAU-Reason := "certificate invalid (e.g. revoked/expired)"
                    }
                }

                ok 

which leads to this

Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK")
Tue May 28 09:49:44 2013 : Info: ? Evaluating (EAP-Type == "NAK") -> FALSE
Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == "NAK") -> FALSE
Tue May 28 09:49:44 2013 : Info: +++- entering else else {...}
Tue May 28 09:49:44 2013 : Info: ++++[control] returns invalid
Tue May 28 09:49:44 2013 : Info: +++- else else returns invalid
Tue May 28 09:49:44 2013 : Info: ++- else else returns invalid
Tue May 28 09:49:44 2013 : Info: Failed to authenticate the user.
Tue May 28 09:49:44 2013 : Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [host/xxxxxxxx/<via Auth-Type = EAP>] (from client xxxxxxxxxxx port 1015 cli xxxxxxxxxxxx)
Tue May 28 09:49:44 2013 : Info: Using Post-Auth-Type Reject
Tue May 28 09:49:44 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default

> And this kind of thing is generally not recommended, because the
> server isn't really designed to fail authentication, and then force a
> success.
> You should instead do as little as possible in the "authenticate"
> section.  Just change the return code to "ok".
> Then do any policy setting (VLAN, etc.) in post-auth.

But I can't change a Reject to Accept in Post-Auth  .. at least that's what I read. Can you show me what I should to? I don't need to change VLANs .. just need an accept, the VLAN is already correct (set in authorize already as it's the same as for MAC authentication)

Robert


More information about the Freeradius-Users mailing list