Having 2 User-Name when using Session Resumption
Panagiotis Georgopoulos
panos at comp.lancs.ac.uk
Fri Nov 19 15:29:57 CET 2010
Hello all,
I am experiencing the following problem when using EAP-TLS and
session resumption. When my client tries to authenticate for the 2nd time
and FR recognizes that it has a valid session for it, it goes on and adds a
cached attribute to the reply (User-Name) thus ending up with two User-Name
attributes in my packet reply to NAS.
Debug: SSL Connection Established
Debug: SSL Application Data
Info: [tls] eaptls_process returned 3
Info: [tls] Retrieved session data from cached session
Info: [tls] Adding cached attributes to the reply: User-Name =
"anonymous at myisp2.com"
Info: [eap] Freeing handler
Info: ++[eap] returns ok
Auth: Login OK: [anonymous at myisp2.com] (from client
my_proxy_AAAServer1 port 1 cli 00-1B-2F-29-00-99)
Info: # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
Info: +- entering group post-auth {...}
Info: ++[exec] returns noop
Sending Access-Accept of id 23 to 2001:db95::100 port 1814
User-Name = "anonymous at myisp2.com"
User-Name = "anonymous at myisp2.com"
MS-MPPE-Recv-Key =
0x40a71fc0b17fd5ce0bee1cfc06ebf8c48a6d37aa710c436a1da4aa3459a22007
MS-MPPE-Send-Key =
0x54ef81d0a961dda08062bb5e9f433a289f3b6628622122b0314a758abacacce2
EAP-Message = 0x03c90004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x34
How could I check if my reply has two User-Name attributes and remove
one? I am guessing that I should add some code in my post-auth..
Thanks a lot in advance,
Panos
PS. in order for session resumption to work on EAP-TLS I am having an update
reply { User-Name = "%{request:User-Name}"} section at the end of my auth
stanza of default which explains why it is not surprising to have the first
instance of User-Name there when FR decides to add cached attributes... (if
I don't have this update reply code SR doesn't work in EAP-TLS)
More information about the Freeradius-Users
mailing list