On 20/01/2010 23:36, Arran Cudbard-Bell wrote:
On 1/17/2010 8:37 AM, Alexander Clouter wrote:
James J J Hooper<jjj.hoo...@bristol.ac.uk> wrote:
In order to also return e.g. VLAN IDs (that could be computed from the
inner User-Name in a non-session-resumption enabled config), I can move
the config that sets the VLAN to the outer tunnel post-auth&& ensure the
inner tunnel sets:
reply:outer User-Name to request:inner User-Name
and then key my VLAN computation (in outer post-auth) from
reply:User-Name.
We have been doing authorisation depending on the outer layer since
summer.
How did you get around the "my policy rejects you now, but i've already
sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
EAP-Failure messages" issue... or are you just happily ignoring it/
encouraging adoption of TTLS-PAP like I was? :)
-Arran
Our setup never changes its mind :-) Any valid credentials always get a
connection. ...only whether that connection is Internet/port
limited/captive redirect to web message server changes.
This also avoids the 'wireless doesn't accept my password' queries at the
helpdesk (which end up with the user messing around and perhaps turning
off certificate validation to see if that "fixes it" etc). Instead
facebook.com returns "you're a virus infected monster - use a different PC
to read your email. We've sent you instructions" etc.
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
