If block in authenticate statement
Franks Andy (IT Technical Architecture Manager)
Andy.Franks at sath.nhs.uk
Fri Nov 6 01:20:24 CET 2015
Hi all,
I'm doing something off-piste again probably.
Can I get away with doing an if statement within the mschap auth block? I'm trying to allow peap-eap-mschap inner tunnel auth on certain ssids only; without the if statement, it works ok, but when I check against a control variable containing SSID, it produces this :
mschap: --> --nt-response=10fe5a0664f0f3debffdcd61b60865947601331bdefef81c
(9) mschap: Program returned code (0) and output 'NT_KEY: CD7018318BC2359E8A362E0557384BEC'
(9) mschap: Adding MS-CHAPv2 MPPE keys
(9) [mschap] = ok
(9) if (!ok) {
(9) if (!ok) -> FALSE
(9) } # if (( control:SSID == "A_WiFi" ) || ( control:SSID == "Another_WiFi" )) = ok
(9) } # Auth-Type MS-CHAP = noop
(9) inner-eap: Freeing handler
(9) [inner-eap] = reject
Mschap returns ok, but the auth returns noop, and thus rejection happens.
I've tried various combinations of "ok", handled etc after the if block but I'm probably doing something that's not allowed or better done another way.
Auth-type MS-CHAP {
if (( control:SSID == "A_WiFi" ) || ( control:SSID == "Another_WiFi" )) {
mschap {
reject = 1
invalid = 1
}
if (!ok) {
if (Module-Failure-Message) {
update outer.control {
Debug-RejectInformation := "%{Module-Failure-Message}"
}
}
reject
}
}
else {
# mschap not allowed on this wifi ssid
reject
}
}
Thanks as always
Andy
More information about the Freeradius-Users
mailing list