[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Question about outer identity
From:       Martin Pauly <pauly () hrz ! uni-marburg ! de>
Date:       2009-07-31 12:42:16
Message-ID: 4A72E6A8.4090703 () hrz ! uni-marburg ! de
[Download RAW message or body]

Hi Alan,
>   Replace the "ldap123" line in the "authorize" seciton with:
> 
> 	if (!EAP-Message) {
> 		ldap123
> 	}

works great and is logical indeed -- thanks!

Just for myself and others try to learn from examples:
I had thought that
         eap {
                 ok = return
         }
would already do the trick when placed above ldap.
But actually, we have
++[eap] returns noop
in case of a non-EAP request -- not 'ok'.
The above statement catches up, only if
there _is_ an EAP request, but no need to bother
LDAP yet (ie during tunnel setup as the comment
suggests).


o.k. here's freeradius' output w/o EAP:
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 30
[files]         expand: %{User-Name} -> Pauly
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> TRUE
++? if (!EAP-Message) -> TRUE
++- entering if (!EAP-Message) {...}
+++- entering policy ldap123 {...}
++++- entering redundant-load-balance group redundant-load-balance {...}
[ldap1] performing user authorization for Pauly

... and with EAP:
[files] users: Matched entry DEFAULT at line 30
[files]         expand: %{User-Name} -> Pauly
++[files] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity

-- 
   Dr. Martin Pauly     Fax:    49-6421-28-26994
   HRZ Univ. Marburg    Phone:  49-6421-28-23527
   Hans-Meerwein-Str.   E-Mail: pauly@HRZ.Uni-Marburg.DE
   D-35032 Marburg 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]