Multiple instances of attribute in tunnelled reply

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Apr 23 10:28:10 CEST 2008


Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>   
>> Hi,
>>
>> We formulate our reply inside of the virtual server dealing with EAP and
>> send it back to the outer server. This is the only way I could think of
>> to insert the Inner identity into the Access-Accept.
>>     
>
> 	...
> 	update outer.reply {
> 		User-Name := "foo"
> 	}
> 	...
>
>   
Hmm, it's complicated... there are authorisation issues too.
>> It all works
>> fine... however it seems there's a bug when dealing with multiple
>> instances of the same attribute.
>>     
>
>   Ah.... the code in "unlang" was fixed to correct this problem.  The
> basic API used in the basic RADIUS library wasn't fixed.
>
>   Ok... I'll take a look at it when I get back from my current trip.
>   
Ok that helps, didn't realise it was fixed in unlang; least I can get 
some dynamic ACL testing done.
>   
>> What's really weird is in the previous rounds of EAP, the attributes
>> retain the += operator, it's only in the one where the EAP-Success
>> message is returned where all the operators are stripped out.
>>     
>
>   Yes.  "copy everything", versus "merge via operators".
>
>   
Yep.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

Thanks,
Arran

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900




More information about the Freeradius-Users mailing list