[RADIATOR] Reject PreAuthHook with PEAP and TTLS

Heikki Vatiainen hvn at open.com.au
Fri May 24 08:19:42 CDT 2013


On 05/24/2013 04:12 PM, Johan Carlquist wrote:

> Is it possible to in an PreAuthHook reject based on the inner username when using PEAP and TTLS?

The hook arguments look like ones for PostAuthHook, not Pre.

With PostAuthHook you can do this. However, with EAP you need to be
aware that the first EAP request typically is the one that carries the
identity. For this reason you do not know the identity when the first
EAP request for the EAP authentication session has just arrived and it
has not been processed yet (to find out the identity).

> I tried to just reject with 
> sub {
> 	my $p = ${$_[0]};
>         my $response = $_[2];
> 	&main::log($main::LOG_DEBUG,  $p->{EAPIdentity} );
>         $$response = $main::REJECT;
>         return $main::REJECT;
> }
> but that didn't print the username and it didn't reject the user.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list