How to write log only once in Post-Auth-Type REJECT section of EAP module?

Mon Jan 29 13:29:54 UTC 2024

During the testing process, methods that seem likely to be usable are
identified and added.

However, this seems to ignore the warning(?) written in the comment. Is
this the correct way?

#  The "session-state" attributes are not available here.
#
Post-Auth-Type REJECT {

                if (!session-state:Module-Failure-Message) {
                        rest
                }

                attr_filter.access_reject

                # Insert EAP-Failure message if the request was
                # rejected by policy instead of because of an
                # authentication failure
                eap

                #  Remove reply message if the response contains an
EAP-Message
                remove_reply_message_if_eap
        }

I don't know if you are saying that you can't use session-state or that you
shouldn't use it.

I tried configuring it so that if the content copied from "INNER-EAP" to
the following command exists, it is not executed.

                #  Let the outer session know which module failed, and why.
                #
                update outer.session-state {
                        &Module-Failure-Message :=
&request:Module-Failure-Message
                }

2024년 1월 29일 (월) 오후 9:26, 남혁준 <sawd1598 at gmail.com>님이 작성:

> hello.
>
> I'm using the EAP module.
> Additionally, the REST module is used in the inner-server.
>
> If you want to refuse authentication in this situation, the REST module
> responds with 401 and Module-Failure-Message.
>
> This Module-Failure-Message is then correctly delivered to the
> Post-Auth-Type REJECT section within "Inner-server".
>
> Because I had declared rest in this section, the post-auth API was being
> called correctly and writing logs.
>
>
>
>
> However, one additional requirement arose.
>
> Logs should also be written when the certificate is incorrect.
>
>
> I added rest to the Post-Auth-Type REJECT section in the default (with
> external EAP) file.
>
> When the certificate was incorrect, the Post-Auth-Type REJECT section of
> the external EAP was reached, and this was also logged correctly.
>
>
> However, the problem now arises in situations where "Internal EAP" is
> called.
>
> In "Internal EAP", the Post-Auth-Type REJECT REST module log occurs once
> and
>
> Post-Auth-Type REJECT REST module log occurs once in "External EAP".
>
> Now, the log has occurred a total of 2 times.
>
>
> “Internal EAP” is the message I sent, but “outer EAP” is the message
> generated by the EAP-PEAP module.
>
> message : "eap_peap: The users session was previously rejected: returning
> reject (again.)"
>
>
> Logs do not necessarily have to be written from "internal EAP".
>
> So I wanted to forward messages originating from the "inner EAP" to the
> "outer EAP" module and then use them in the Post-Auth-Type REJECT REST
> module.
>
> However, I could not find a way, and only the message generated by the
> EAP-PEAP module was always delivered as Module-Failure-Message.
>
>
>
> How do I accomplish what I want?
>