AW: Additional reply attributes via eap-pwd possible?

denny.friebe at icera-network.de denny.friebe at icera-network.de
Tue Jan 26 16:44:07 CET 2021


The last reply was accidentally sent directly to your email. Here again for
the mailing list:

> You've added the attributes in the inner-tunnel, but you haven't told the
server to send them to the client.
> You need to copy the inner tunnel attributes to the outer tunnel.  See
sites-available/inner-tunnel:
> Then also see sites-available/default:
> this comment applies to EAP-PWD, too.  Follow the instructions there.
> Alan DeKok.

Thank you for your help. I have already done this so far. Or have I
overlooked something? Here is my configuration:
sites-enabled/default:
################################
server default {
listen {
        type = auth
        ipaddr = *
        port = 0
        
        limit {
              max_connections = 0
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipaddr = *
        port = 0
        type = acct

        limit {
        }
}

authorize {
        filter_username
        preprocess
        suffix
        rewrite_calling_station_id
        
        eap {
                ok = return
                updated = return
        }
        
        -sql
        logintime
}

authenticate {
        eap
}

preacct {
        preprocess
        acct_unique
        suffix
}

accounting {
        detail
        -sql
        exec
        attr_filter.accounting_response
}

session {
}

post-auth {
        update {
                &reply: += &session-state:
        }

        -sql
        exec
        
        Post-Auth-Type REJECT {
                -sql
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }

        Post-Auth-Type Challenge {
        }
}

pre-proxy {
}

post-proxy {
        eap
}
}
################################



sites-enabled/inner-tunnel:
################################
server default {
listen {
        type = auth
        ipaddr = *
        port = 0

        limit {
              max_connections = 0
              lifetime = 0
              idle_timeout = 30
        }
}

listen {
        ipaddr = *
        port = 0
        type = acct

        limit {
        }
}

authorize {
        filter_username
        preprocess
        suffix
        rewrite_calling_station_id

        eap {
                ok = return
                updated = return
        }

        -sql
        logintime
}

authenticate {
        eap
}

preacct {
        preprocess
        acct_unique
        suffix
}

accounting {
        detail
        -sql
        exec
        attr_filter.accounting_response
}

session {
}

post-auth {
        update {
                &reply: += &session-state:
        }

        -sql
        exec

        Post-Auth-Type REJECT {
                -sql
                attr_filter.access_reject
                eap
                remove_reply_message_if_eap
        }
        
        Post-Auth-Type Challenge {
        }
}

pre-proxy {
}

post-proxy {
        eap
}
}
################################



More information about the Freeradius-Users mailing list