If block in authenticate statement

Mon Nov 9 14:45:01 CET 2015

On Nov 9, 2015, at 8:28 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
>  I did try the OK bit at the end of the module, but it still returns noop, which is what confuses me.

  What was the exact configuration you tried?

> Whether I did the ok bit in the correct place is debateable but I did try it in the logical places. Does the ok placement need to be after an "else" statement?

  It needs to be wherever you want to set the return code to be "ok".

> Anyway, onto why - I don't want to flat reject people using that SSID, just people who use PEAP and use mschapv2 (instead of TLS) on certain SSIDs. In certain circumstances I might want them to be allowed if they bring me sweets at Christmas for example.

  Then configure that...

authorize {
	...
	eap
	...

	if ((SSID == "no-peap") && (EAP-Type == PEAP)) {
		reject
	}
	...
}

  Or, you can do the same thing in the inner tunnel.

  But realistically, why ban certain configurations?  Why not configure the client correctly?  And then configure the server to use only one authentication method?

>  The problem is we (afaik) don't find out what the auth type is until the authorize stage where that module (eap in this case) sets it, and the inner auth type here is a few layers into the onion, that's why it sort of made sense to me to do it at "final" authenticate stage. I could probably also do it post-auth too I guess, pass it then check and reject..

  That would work, too.

 Or, you could just set EAP-Type for particular users.

server inner-tunnel {
authorize {
	...
	if (WiFi == "no-inner-mschap") {
		update control {
			EAP-Type := TLS	# force outer PEAP, inner TLS
		}
	}
	...

	eap

	...

}
}

> The custom debug message was an "overall" delivery message to the indicate why failure had occurred at any point in the chain. Module-Failure-Message only works on certain modules afaik (or did when I last asked) so failures in certain areas would yield blanks. I'd quite happily ditch that if all modules do it now!

  Most should... more do in v3.1.x.

> I also think (from unreliable memory) that I had issues copying some of the attributes from inner to outer, some worked and some didn't - does the module-failure-message get automatically copied now from inner to outer layer?

  No.

  Alan DeKok.