freeradius-3.0: Using EAP-Type in post-auth processing

Felix Tiede lists at
Wed May 10 20:18:52 CEST 2017

Am Mittwoch, 10. Mai 2017, 17:00:47 CEST schrieben Sie:
> %{EAP-Type} should be populated - and the value, &EAP-Type works - you
> may need to check its numeric value.  are you using latest 3.0.x ?

  if (%{EAP-Type} == EAP-TLS)

yields the following lines and ends in no operation taken:

 # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/policy.d/
 # Skipping contents of 'elsif' as it is always 'false' -- /etc/raddb/

>From an actual request:
(11)       if (%{EAP-Type} == EAP-TLS) {
(11)       if (%{EAP-Type} == EAP-TLS)  -> FALSE
(11)       elsif (%{EAP-Type} == PEAP) {
(11)       elsif (%{EAP-Type} == PEAP)  -> FALSE

  if (&EAP-Type == EAP-TLS)

yields then this, similar to 'if (EAP-Type == EAP-TLS)':
/etc/raddb/policy.d/vlan-id[5]: Parse error in condition
/etc/raddb/policy.d/vlan-id[5]: (&EAP-Type == EAP-TLS) {
/etc/raddb/policy.d/vlan-id[5]:               ^ Failed to parse value for 

I'm using freeradius-3.0.13 for these tests.
I would like not to use numeric values - both EAP-Type and EAP-TLS/PEAP are 
from freeradius' built-in dictionary.


BOFH Excuse #129:

The ring needs another token

More information about the Freeradius-Users mailing list