Capturing a failure from EAP

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Fri Jul 25 15:25:04 CEST 2014 

>>  No.  You *can* override EAP.  See the debug output.

Hi

Log says : 
..
(8)  ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(8)  eap : Failed in EAP select
(8)    [eap] = invalid
(8)     if (!ok)
(8)     if (!ok)  -> TRUE
(8)    if (!ok)  {
(8)     update control {
(8) EXPAND %{Module-Failure-Message}
(8)    --> eap_tls: SSL says error 10 : certificate has expired
(8)     Debug-RejectInformation := "eap_tls: SSL says error 10 : certificate has expired"
(8)     } # update control = noop
(8)     [ok] = ok
(8)    } # if (!ok)  = ok
(8)     if (reject)
(8)     if (reject)  -> FALSE
(8)     if (invalid)
(8)     if (invalid)  -> FALSE
(8)   } # if (control:ClientReject == 0 )  = ok
(8)  } # Auth-Type eap = ok
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8)  Post-Auth-Type REJECT {
..

It's interesting that my if (invalid) doesn't work, but that's probably not the issue. I'm doing 
                if (!ok) {
                        update control {
                                Debug-RejectInformation := "%{Module-Failure-Message}"
                        }
                        ok
                }

The ok in another module doesn't seem to stop the auth taking the "ok" we've pushed, for example here it's failed ntlm auth:
	
  [ntlm_auth] = reject
(0)    if (reject)
(0)    if (reject)  -> TRUE
(0)   if (reject)  {
(0)    update control {
(0)     ClientReject := 1
(0)    } # update control = noop
(0)    [ok] = ok
(0)   } # if (reject)  = ok
(0)  } # Auth-Type ntlm_auth = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {

Here I just do this :
if (reject) {
                                update control {
                                        ClientReject := 1
                                }
                                ok
 }

.. and the auth complete with success.

Guess I'm missing something!
Thanks
Andy

-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 25 July 2014 13:13
To: FreeRadius users mailing list
Subject: Re: Capturing a failure from EAP

Franks Andy (RLZ) IT Systems Engineer wrote:
>   Can someone just confirm whether I can override the module codes in
> the eap auth module?

  Yes.  EAP is a module just like anything else.

>   I’m trying

  And... what does the debug log show?

> I know it looks odd, but I’m trying to override the reject packet with
> an accept but with attributes that force the client into a specific
> remuneration vlan / policy on the wireless controller.

  That's impossible.  The design of WiFi and how it works with EAP makes
that impossible.

> Maybe this is by design. I can override all the other modules ok just
> not eap.

  No.  You *can* override EAP.  See the debug output.

  The supplicant and wireless controller will refuse to communicate when
you override EAP.  But that has nothing to do with FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list