2.1 to 2.2 update question
Alan DeKok
aland at deployingradius.com
Mon Jan 18 14:48:07 CET 2016
On Jan 18, 2016, at 5:19 AM, PENZ Robert <ROBERT.PENZ at TIROL.GV.AT> wrote:
> We did check at which version the problem got introduced and found that 2.2.0 worked 2.2.1 did not anymore. The relevant config looks this way
>
> authenticate {
> .....
> Auth-Type EAP {
> eap {
> handled = 1
> invalid = 1
> }
>
> if (ok) {
Don't put policy into the "authenticate" section. Put it into the "post-auth" section. Thats the purpose of the post-auth section.
> if ("%{TLS-Client-Cert-Subject}" !~ /\/CN=%{sql:SELECT subject8021x FROM tdevices WHERE mac = '%{Calling-Station-Id}'}/i) {
> update control {
> MACAU-Reason := "Cert-Subject <%{TLS-Client-Cert-Subject}> entspricht nicht dem Hinterlegten --> Remediation Netz"
> }
> handled
>
> }
> # hat das EAP worked, need to overright the vlan, depending on the switch type
> elsif ("%{reply:Tunnel-Private-Group-ID}") {
> update reply {
> Tunnel-Private-Group-ID := "%{sql:SELECT ..... "
> }
Like this... there is no reason to assign the Tunnel-Private-Group-ID for *every single Access-Challenge* packet. It's only needed in the Access-Accept packet.
Alan DeKok.
More information about the Freeradius-Users
mailing list