On 05/19/2012 12:37 PM, alan buxey wrote:
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures; I suspect that the client may just "hang up" and let the EAP
session expire, and since the inner post-auth doesn't run, and the outer
session expires, I have no logs.
There was talk about getting it to do Post-Auth-Type Reject in the
inner tunnel. No code yet, tho.
interesting/useful - I was seeing exactly the same behaviour last week when
setting
something up...thought I was going a bit mad and was going to post something
to this lst next week... failed PEAP/MSCHAP doesnt enter the post-auth reject
session whether its local or a remote (proxied) one. I did something else at
the time
as a work-around but it would be good to have the failure code hit just as PAP
requests get
I haven't tested this, and can't easily right now, but I expect
something similar would happen with TTLS; can you verify this? I'm
particuarly curious to know what the difference between TTLS/PAP and
TTLS/EAP-MSCHAPv2 would be based on the code paths involved (see -devel
post)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
