Custom handling of EAP module reject

Alan DeKok aland at
Thu Apr 6 15:55:07 CEST 2017

On Apr 6, 2017, at 8:30 AM, Alberto Martínez <alberto.martinez at> wrote:
>   Please post EXACTLY what you did.  Saying "I tried things and it didn't work" is unhelpful.
> I mean this:
> server rogue-inner-tunnel {
> ...
> authorize {
>         ....
>         redundant {
>                 eap_rogue
>                 "%{sql_custom:<redacted>}"
>         }
>         ....
> }
> ...
> }

  <sigh>  If only there was some kind of debug output where the server would tell you what it's doing, and why.

   As I guessed, you're running this in the inner-tunnel.  If you had bothered to read the debug output, you'd see that the request sent to the inner-tunnel server doesn't have Called-Station-SSID.

  There are documented ways of addressing the outer attributes.  See "man unlang".

  It would be good to learn how to (a) ask good questions, (b) follow instructions, (c) read the existing documentation, and (d) learn how to problem solve.  i.e. read the debug output and pay attention to it.

  I have no idea why you're giving out as little information as possible.  It's frustrating, and unhelpful.

> > How can I intercept the reject action?
> > And, even better: How can I access from unlang to the "TLS Alert
> > read:fatal:unknown CA" string?
>   In v3, you can't.
> Oh, ok :(
> Where could I? Was it in v1 or v2

  We didn't remove functionality in newer versions of the server.  That just makes no sense.

> Or will be in v4?

  Sure.  Send a patch.

  Alan DeKok.

More information about the Freeradius-Users mailing list