Hello (again),
To aid debugging, I'm adding some Reply-Message values to upon rejection,
to indicate why we rejected it, in some obvious cases.
In the authorize stanza of the inner-tunnel virtual server, I can do:
update reply {
Reply-Message := '[cam.ac.uk] Inner identity in invalid format'
}
... this updates the Reply-Message in the inner-tunnel (so
'%{reply:Reply-Message}' returns this message) and appears to propagate
back out of the tunnel as '%{reply:Reply-Message}' is set to the same
thing outside it (i.e. back in the 'default' server), in the case of
intermediate challenges and the final 'Access-Accept'.
However, if I do this and then issue 'reject' to deny the login, the
Reply-Message doesn't seem to get out of the inner-tunnel and
'%{reply:Reply-Message}' outside it is empty. I've tried 'update
outer.reply { ... }' and that doesn't work, either. I presume it also
wouldn't get out to clients, either.
Is this a bug (this is 2.1.6) or am I doing this wrong?
- Bob
--
Bob Franklin <rc...@cam.ac.uk> +44 1223 748479
Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
