Proxy EAP-TLS request after successful authorization with eap module

work vlpl thework.vlpl at gmail.com
Tue Oct 17 20:57:35 CEST 2017 

> On 17 October 2017 at 23:14, Alan DeKok <aland at deployingradius.com> wrote:
>
>   That's not what was suggested.  It helps to have some understanding of how the server works.
>

I am sorry for that misunderstanding

By looking on debug log I think eap module must set Auth-Type, and
nothing can be executed after eap module. Is this correct?

If I use this config

authorize {
    eap
    if(ok) {
        debug_all
    } else {
        debug_all
    }
}


there is no debug_all output in log

---not set Auth-Type version of tls_only virtual site---

WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server tls_only {
(6)   session-state: No cached attributes
(6)   # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/tls_only
(6)     authorize {
(6)       update reply {
(6)         &Auth-Type := Accept
(6)       } # update reply = noop
(6)     } # authorize = noop
(6)   ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(6)   Failed to authenticate the user
(6)   Using Post-Auth-Type Reject
(6)   Post-Auth-Type sub-section not found.  Ignoring.
(6) } # server tls_only
(6) Virtual server sending reply
(6)   Auth-Type := Accept
(6) eap_tls: Certificate rejected by the virtual server
(6) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(6) eap: Sending EAP Failure (code 4) ID 6 length 4
(6) eap: Failed in EAP select

--set Auth-Type version of tls_only virtual site:-

WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server tls_only {
(6)   session-state: No cached attributes
(6)   # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/tls_only
(6)     authorize {
(6)       update config {
(6)         &Auth-Type := Accept
(6)       } # update config = noop
(6)     } # authorize = noop
(6)   Found Auth-Type = Accept
(6)   Auth-Type = Accept, accepting the user
(6) } # server tls_only
(6) Virtual server sending reply
(6) eap_tls:     caching TLS-Cert-Serial := "f4f7b543fa1eaa80"
(6) eap_tls:     caching TLS-Cert-Expiration := "370806185333Z"
(6) eap_tls:     caching TLS-Cert-Subject := "/CN=CHANGED ca"
(6) eap_tls:     caching TLS-Cert-Issuer := "/CN=CHANGED ca"
(6) eap_tls:     caching TLS-Cert-Common-Name := "CHANGED ca"
(6) eap_tls:     caching TLS-Client-Cert-Serial := "9cd3e44502ae747b"
(6) eap_tls:     caching TLS-Client-Cert-Expiration := "271017150656Z"
(6) eap_tls:     caching TLS-Client-Cert-Subject := "/C=US/L=Some wifi
Wi-Fi/O=example.com/CN=CHANGED"
(6) eap_tls:     caching TLS-Client-Cert-Issuer := "/CN=CHANGED ca"
(6) eap_tls:     caching TLS-Client-Cert-Common-Name := "CHANGED"
(6) eap_tls: Failed to find 'persist_dir' in TLS configuration.
Session will not be cached on disk.
(6) eap: Sending EAP Success (code 3) ID 6 length 4
(6) eap: Freeing handler
tls: Freeing cached session VPs
(6)           [eap] = ok
(6)         } # authenticate = ok

More information about the Freeradius-Users mailing list