On 1/28/2011 3:48 AM, Alan DeKok wrote: > Put the "unlang" in the "authenticate" section, after "eap": > Auth-Type eap { > eap > if (...) { > ... > } > }
Thank you!! That did the trick. The entirety of my authenticate section is now: authenticate { Auth-Type Kerberos { krb5 } Auth-Type eap { eap if ( "%{TLS-Client-Cert-Subject}" =~ /\/OU=Evil\// ) { reject } } } And it works perfectly. Thank you! As for Windows XP dealing with the rejection.... > You're sending a *radius* reject. It doesn't include an EAP-Message > with an *EAP* reject. So you need to create a fake one: > update reply { > EAP-Message := 0x > } > That can work sometimes... Ah, thanks for the tip. I added this in the "Post-Auth-Type REJECT" section: if ( "%{control:Auth-Type}" == "EAP" ) { update reply { EAP-Message := 0x04010004 } } The code seems to work as expected, but Windows XP still doesn't seem to handle it sensibly. But I can live with that. Thank you, Alan! -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html