Re: post-auth section in FR v2.1.12
gabriel_skupien at o2.pl
Wed Jun 11 13:12:38 CEST 2014
Dnia 10 czerwca 2014 17:58 Alan DeKok <aland at deployingradius.com> napisał(a):
> gabriel_skupien wrote:
> > Hence, 3 questions:
> > 1) Does FR v2.1.12 support post-auth section?
> It should. But you should really also try 2.2.5, as 2.1.12 is four
> years out of date.
> > 2) Can you explain the aim of "Sending Access-Challenge" ?
> That's how the protocol works.
> > 2) Where is the best place to authorize users in LDAP while using> EAP-TLS?
> That depends on what you're doing.
> > Is it post-auth?
> For you, yes.
> > ps. it works fine while authorizing users based on LDAP in the authorize
> > section but we prefer to postpone this task to post-auth. In that way we
> > can achieve to goals:
> > -use ldap group membership for vlan assignments and
> > -significantly reduce LDAP load
> List "ldap.authorize" in the "post-auth" section.
Thanks Alan! That is working fine but....
I do not want to use "ldap.authorize", I would really prefer to use
LDAP-Group - ideally in "switch" statement but it seems that it is not
supported in FR 2.X. Bulk of if/else statements is also a bad idea because
we use dozens of LDAP groups and that will for sure result with LDAP
overload. Any idea?
ps. a pure "update reply" without "if" statements is also working, the
problem was that I tried LEAP, when I switched to EAP-TLS it started to
proces "update reply" section.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users