question about session resumption and reply attributes

Anatoli Logvinski anatoli.logvinski at adelaide.edu.au
Fri May 22 08:11:21 CEST 2009


Thanks a lot guys, it's working properly now

Best regards
Anatoli

Arran Cudbard-Bell wrote:
> Hi,
>   
>>> No. You should be running through your authorisation policies on
>>> session resumption. All policies should be moved to the post-auth
>>> section of the outer server.
>>>     
>>>       
>> but only the inner server knows the real id etc ?
>>   
>>     
> Yes, so have it tell the outer server... Insert the (attached) snippet
> into the authorize section of the inner server.
>
> There's an issue where outer.reply items aren't merged with the reply
> when doing EAP-TTLS-MSCHAPv2. So you still have to have
> 'use_tunneled_reply' set to yes.
>
> I believe the User-Name attribute in outer.reply is cached, and
> available for use on session resumption. So just:
>
> Auth-Type EAP {
>     eap
>     if(ok && "%{reply:User-Name}"){
>         update request {
>             User-Name := "%{reply:User-Name}"
>         }
>     }
> }
>
> Once you've got the policies moved to post-auth, then any scripts or
> lookups used for authorisation will only be run once, so far greater
> efficiency with complex policies. Rejects are still handled properly
> even within the Post-Auth section (jumps to Post-Auth-Type reject).
>
> Arran
>   
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>   
>>     
>
>   
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list