Thanks Phil, thats great works really well. It has set me thinking about a variation though, using EAP-Message would mean that it wouldn't run if it had been through the default only, such as EAP-TLS. Is there something else I could use which would indicate if inner-tunnel had been used?
thanks, On Mon, Mar 7, 2011 at 11:08 AM, Phil Mayers <p.may...@imperial.ac.uk> wrote: > On 07/03/11 10:10, paul smith wrote: > >> Is there some way I can tell the server not to run things in the >> default post-auth, if the request has been through the inner-tunnel? >> >> I'm thinking putting something like the following in the default >> post-auth section >> >> if (!proxy-reply:Packet-Type == "Access-Accept") { >> radius-user-auth >> } > > How about: > > post-auth { > if (!EAP-Message) { > ...the exec module > } > } > >> >> However this always evaluates as true, even though I can see the >> inner-tunnel authenticating successfully. > > Inner tunnel is not proxying, so proxy-reply is always empty, hence > evaluates to "true". Don't confusing proxying with EAP phases. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html