post-auth section in FR v2.1.12
gabriel_skupien
gabriel_skupien at o2.pl
Tue Jun 10 17:50:17 CEST 2014
I am using EAP-TLS and I am trying to use post-auth section to dynamically
assign (based on the ldap group membership) vlan ID to the user. Leaving
the LDAP part away for testing purposes and concentrating just on the
post-auth section - I cannot make FR to override VLAN ID in post-auth
section. Here is the config:
post-auth {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "36"
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
And nothing happens here:
....
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[reply] returns noop
++[exec] returns noop
Sending Access-Challenge of id 127 to X.X.X.X port 32769
Tunnel-Private-Group-Id:0 = "36"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
EAP-Message = 0x03040004
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd55884fdd75c9555353e80afe21cb577
Finished request 6.
....
But it finally ends with this:
.....
Sending Access-Accept of id 128 to X.X.X.X port 32769
Tunnel-Private-Group-Id:0 = "84"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Cisco-AVPair += "XXX"
EAP-Message = 0xXXXX
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "XXXX"
Finished request 7.
Hence, 3 questions:
1) Does FR v2.1.12 support post-auth section?
2) Can you explain the aim of "Sending Access-Challenge" ?
2) Where is the best place to authorize users in LDAP while using EAP-TLS?
Is it post-auth?
ps. it works fine while authorizing users based on LDAP in the authorize
section but we prefer to postpone this task to post-auth. In that way we
can achieve to goals:
-use ldap group membership for vlan assignments and
-significantly reduce LDAP load
jinx
More information about the Freeradius-Users
mailing list