EAP Session resumption && reply attributes

Alexander Clouter alex at digriz.org.uk
Sun Jan 17 17:37:09 CET 2010


James J J Hooper <jjj.hooper at bristol.ac.uk> wrote:
>
> In order to also return e.g. VLAN IDs (that could be computed from the 
> inner User-Name in a non-session-resumption enabled config), I can move 
> the config that sets the VLAN to the outer tunnel post-auth && ensure the 
> inner tunnel sets:
>   reply:outer User-Name to request:inner User-Name
> and then key my VLAN computation (in outer post-auth) from reply:User-Name.
> 
We have been doing authorisation depending on the outer layer since 
summer.

The best part about doing this is that all you really care about from 
the inner layer is if it gave you Access-Accept or Access-Reject[1]; the 
cached username is handy to make sure your Accounting packets are then 
nice and helpful;

One thing to remember, is for *your* users roaming at other universities 
to remember to remove the reply:User-Name attribute to protect the 
guilty. :)

Cheers

[1] in my opinion[2] it's a Bad Idea(tm) to do *user* 
	authorisation...host authorisation is fine though
[2] the 'why' is in how do you handle multi-user hosts where there 
	*could* be multiple simultaneous interactive users on the host

-- 
Alexander Clouter
.sigmonster says: Memory fault - where am I?




More information about the Freeradius-Users mailing list