Hi,
EAP type module in autz sets Auth-Type to be EAP, allowing :
Auth-Type {
eap
... unlang
}
But it appears the eap module releases the tunneled reply into the
current reply list,
then everything skips to post-auth.
#
# Allow EAP authentication.
Auth-Type EAP {
eap
# Parse User-Name sent back from EAP-Tunnel
if(ok && "%{reply:User-Name}"){
update request {
User-Name := "%{reply:User-Name}"
}
$INCLUDE ${unlangdir}/uidrewrite.conf
}
}
auth: type "EAP"
+- entering group EAP
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [anonymous/<via Auth-Type = EAP>] (from client
hp-e-its-dev8021x-sw1 port 1 cli 001b63a3a8dd)
+- entering group post-auth
++[reply] returns noop
Is this intentional ?
This is to do with logging with User-Names returned from the inner
tunnel. It almost seems like this is something that belongs in the EAP
module with an option to copy the User-Name from the tunnelled request
to the outer request at the point the tunnelled reply is released.
But i'm not sure, still trying to reason out the best way to deal with
inner/outer identities.
Thanks,
Arran
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
