Unexpected Disconnect Message to NAS

Vladimir Cvetic vcvetic.vc at gmail.com
Wed Feb 20 21:30:11 CET 2019 

debug log says:

Wed Feb 20 20:59:32 2019 : Debug:    peap {
Wed Feb 20 20:59:32 2019 : Debug:       tls = "tls-common"
Wed Feb 20 20:59:32 2019 : Debug:       default_eap_type = "mschapv2"
Wed Feb 20 20:59:32 2019 : Debug:       copy_request_to_tunnel = no
*Wed Feb 20 20:59:32 2019 : Debug:       use_tunneled_reply = no*
Wed Feb 20 20:59:32 2019 : Debug:       proxy_tunneled_request_as_eap = yes
Wed Feb 20 20:59:32 2019 : Debug:       virtual_server = "inner-tunnel"
Wed Feb 20 20:59:32 2019 : Debug:       soh = no
Wed Feb 20 20:59:32 2019 : Debug:       require_client_cert = no

and the EAP config says:

 #
PEAP
             #  As of version 3.0.5, this configuration item
                #  is deprecated.  Instead, you should use
                #
                #       update outer.session-state {
                #               ...
                #
                #       }
                #
                #  This will cache attributes for the final Access-Accept.
                #
                use_tunneled_reply = no

That's seems to be the reason why it doesn't work

According to the inner-tunnel I uncommented
#
        #  Instead of "use_tunneled_reply", uncomment the
        #  next two "update" blocks.
        #
        update {
               &outer.session-state: += &reply:
        }

        update outer.session-state {
               MS-MPPE-Encryption-Policy !* ANY
               MS-MPPE-Encryption-Types !* ANY
               MS-MPPE-Send-Key !* ANY
               MS-MPPE-Recv-Key !* ANY
               Message-Authenticator !* ANY
               EAP-Message !* ANY
               Proxy-State !* ANY

        }



On Wed, Feb 20, 2019 at 8:25 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Feb 20, 2019, at 2:13 PM, Vladimir Cvetic <vcvetic.vc at gmail.com> wrote:
> >
> > I can see in the debug log that the Session-Timeout attribute is set
> within
> > the inner tunnel but it doesn't make its way out to in the access-accept
> > response. the session is not terminated by the NAS.
> >
> > Even with the parameter "use_tunneled_reply=yes" it doesn't work with
> PEAP.
> >
> > Even if it's working for EAP-TLS I'd like to know what I'm doing wrong
> but
> > I simply don't see it. Any hint you can share would be appreciated.
>
>   There *is* a debug log you can read.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list