James J J Hooper <jjj.hoo...@bristol.ac.uk> wrote: < >> How did you get around the "my policy rejects you now, but i've already >> sent a tunneled success TLV in the TLS tunnel and you're now ignoring my >> EAP-Failure messages" issue... or are you just happily ignoring it/ >> encouraging adoption of TTLS-PAP like I was? :) > > Our setup never changes its mind :-) Any valid credentials always get a > connection. ...only whether that connection is Internet/port > limited/captive redirect to web message server changes. > Arran is probably referring to that with EAP TLS reauth you are actually using the authentication (and possibly authorisation) credentials from a previous session that can even be a few days prior.
You might decide to do some user focused authorisation in the post-auth section[1], for example you might reject a user if their user account has been disabled, or if they are in the wrong group or maybe they have been a Bad Bad Boy(tm) :) You might then have them marked 'disabled' in your LDAP tree however the EAP-TLS reauth bit never gets that far....so you end up accepting them. Again, another reason not to do user based authorisation. :) Cheers [1] or indirectly in the authentication section via an amended LDAP filter where you only authenticate against user objects where 'accountdisabled=false' or something -- Alexander Clouter .sigmonster says: Your aim is high and to the right. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html