Re: post-auth section in FR v2.1.12

gabriel_skupien gabriel_skupien at o2.pl
Wed Jun 11 13:12:38 CEST 2014



Dnia 10 czerwca 2014 17:58 Alan DeKok <aland at deployingradius.com> napisał(a):

> gabriel_skupien wrote:
> > Hence, 3 questions:
> > 1) Does FR v2.1.12 support post-auth section?
> >
>   It should.  But you should really also try 2.2.5, as 2.1.12 is four
> years out of date.
> 
> > 2) Can you explain the aim of "Sending Access-Challenge" ?
> >
>   That's how the protocol works.
> 
> > 2) Where is the best place to authorize users in LDAP while using> EAP-TLS?
> >
>   That depends on what you're doing.
> 
> > Is it post-auth?
> >
>   For you, yes.
> 
> > ps. it works fine while authorizing users based on LDAP in the authorize
> > section but we prefer to postpone this task to post-auth. In that way we
> > can achieve to goals:
> > -use ldap group membership for vlan assignments and
> > -significantly reduce LDAP load
> >
>   List "ldap.authorize" in the "post-auth" section.

Thanks Alan! That is working fine but....

I do not want to use "ldap.authorize", I would really prefer to use
LDAP-Group - ideally in "switch" statement but it seems that it is not
supported in FR 2.X. Bulk of if/else statements is also a bad idea because
we use dozens of LDAP groups and that will for sure result with LDAP
server
overload. Any idea?

ps. a pure "update reply" without "if" statements is also working, the
problem was that I tried LEAP, when I switched to EAP-TLS it started to
proces "update reply" section.

Gabriel


> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


More information about the Freeradius-Users mailing list