On 18/09/12 14:16, Brian Candler wrote:
When a user logs into a wireless AP, I would to include some per-user
response attributes, in particular Acct-Interim-Interval = 600
However freeradius -X shows that this isn't happening, and it appears to be
because of the following stanza in the default config:
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
This is in the "authorize" section. EAP doesn't know, at this point,
that the packet will *be* the final one, because it hasn't processed it yet.
The EAP module does all it's work in the "authenticate" section. It
must, because it might need data added by previous modules in the
"authorize" section (e.g. passwords from LDAP, SQL, files, etc.)
What's the recommended solution here? Is it possible to distinguish between
the final EAP accept and the earlier Access-Challenge, so that just the
final response does a database lookup for the required user response
attributes?
Yes, in post-auth.
post-auth {
update reply {
...
}
}
Generally people will do this kind of thing in the inner-tunnel virtual
server and set "use_tunneled_reply = yes" to copy the attributed back.
You need to exercise caution if you're using session resumption here,
because resumed sessions don't use the inner-tunnel.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
