User-Name return glitch in FR 3.0.17?
Alan DeKok
aland at deployingradius.com
Mon Apr 23 19:12:47 CEST 2018
On Apr 23, 2018, at 11:51 AM, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
>
> So, this is an authentication on FreeRADIUS 3.0.17 that I've just upgraded to on our 'playpen' network. Previously, it would simply return the User-Name as 'root' (I know, I know...) but now it appears that the server adds the outer User-Name *first*, and then restores the session-state one (which was set by the inner-tunnel as 'root').
There were situations where it *wouldn't* set the reply User-Name for EAP. That was fixed in 3.0.17.
The debug log you posted shows no User-Name in the session-state list.
Hmm... if I set the inner reply with a User-Name, and then set "use_tunneled_reply = yes", then the inner User-Name is copied to the outer one as expected.
If I don't set "use_tunneled_reply", then the outer User-Name is just a copy of the one from the request, as expected.
If I add a User-Name to the outer session-state list, then it's in the reply, *and* the one added by the EAP module. So that's wrong. The solution there is to have "eap" run in the post-auth section, and only add the reply User-Name there. But that's not going to change in a stable release.
The solution to that would be to just remove any existing User-Name from the reply, before updating the session-state list:
update reply {
User-Name !*
}
update {
&reply += &session-state:
}
I think that will work. But what are you expecting it to do, and when?
Alan DeKok.
More information about the Freeradius-Users
mailing list