PENZ Robert wrote: > I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate > failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not > reject them to the guest VLAN. My config looks like this:
That will work only for wired authentication, and sometimes not even then > # EAP didn't work > if (EAP-Type == "NAK") { > update control { > MACAU-Reason := "unsupported EAP typ --> Client > misconfiguration" > Auth-Type := Accept That doesn't work. You MUST return an EAP-Message attribute in the reply. Just sending an Access-Accept means that the NAS will *ignore* it, and close the connection. And this kind of thing is generally not recommended, because the server isn't really designed to fail authentication, and then force a success. You should instead do as little as possible in the "authenticate" section. Just change the return code to "ok". Then do any policy setting (VLAN, etc.) in post-auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html