post-auth section in FR v2.1.12 - Re: Freeradius-Users Digest, Vol 110, Issue 39

[Rui Ribeiro]

Hi Grabriel,

You are missing in your update reply Service-Type := "Framed-User"
Are you following v1.x recipes?

BTW, upgrade to 2.2.4 at least, 2.1.12 is very old, and full of bugs
specially when using mschap.

Regards

>
> Message: 4
> Date: Tue, 10 Jun 2014 17:50:17 +0200
> From: gabriel_skupien <gabriel_skupien at o2.pl>
> To: freeradius-users at lists.freeradius.org
> Subject:  post-auth section in FR v2.1.12
> Message-ID: <5c9f5cb4.6195ba31.53972939.95a05 at o2.pl>
> Content-Type: text/plain; charset="UTF-8"
>
> I am using EAP-TLS and I am trying to use post-auth section to dynamically
> assign (based on the ldap group membership) vlan ID to the user. Leaving
> the LDAP part away for testing purposes and concentrating just on the
> post-auth section - I cannot make FR to override VLAN ID in post-auth
> section. Here is the config:
>
> post-auth {
>         update reply {
>                 Tunnel-Type := VLAN
>                 Tunnel-Medium-Type := IEEE-802
>                 Tunnel-Private-Group-Id := "36"
>         }
>         exec
>         Post-Auth-Type REJECT {
>                 attr_filter.access_reject
>         }
> }
>
> And nothing happens here:
>
> ....
> # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> ++[reply] returns noop
> ++[exec] returns noop
> Sending Access-Challenge of id 127 to X.X.X.X port 32769
>         Tunnel-Private-Group-Id:0 = "36"
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Type:0 = VLAN
>         EAP-Message = 0x03040004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xd55884fdd75c9555353e80afe21cb577
> Finished request 6.
> ....
> But it finally ends with this:
> .....
> Sending Access-Accept of id 128 to X.X.X.X port 32769
>         Tunnel-Private-Group-Id:0 = "84"
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Type:0 = VLAN
>         Cisco-AVPair += "XXX"
>         EAP-Message = 0xXXXX
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "XXXX"
> Finished request 7.
>
> Hence, 3 questions:
> 1) Does FR v2.1.12 support post-auth section?
> 2) Can you explain the aim of "Sending Access-Challenge" ?
> 2) Where is the best place to authorize users in LDAP while using EAP-TLS?
> Is it post-auth?
>
> ps. it works fine while authorizing users based on LDAP in the authorize
> section but we prefer to postpone this task to post-auth. In that way we
> can achieve to goals:
> -use ldap group membership for vlan assignments and
> -significantly reduce LDAP load
>
> jinx
>
> H
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140610/05737426/attachment.html>