Hello everyone:<br> I am using a freeradius-2.1.8, with eap-ttls mschap v2. I happen to get a problem that some attribute missing in the <br>Access-Accept message, while it appears in the first Access-Challenge message. I still find that those attributes appear<br>
tunneled reply , i use the debug mode.<br> Search the mail list , i find that similiar problem appears two years ago, here is the mail.<br> Any suggestion is welcome, thanks a log<br> sunhualing<br><br><br><br><pre style="margin: 0em;">
Hi,<br><br></pre><tt>We formulate our reply inside of the virtual server dealing
with EAP and
</tt><tt>send it back to the outer server. This is the only way I could
think of
</tt><tt>to insert the Inner identity into the Access-Accept. It all
works
</tt><tt>fine... however it seems there's a bug when dealing with
multiple
</tt><tt>instances of the same attribute.
</tt><pre style="margin: 0em;">For example:<br><br>users / sql<br><br></pre><tt>DEFAULT Service-Type == Framed-User, Realm == 'local',
SS-Flags =~
</tt><tt>"^.1........$"
</tt><pre style="margin: 0em;"> Tunnel-Type = VLAN,<br> Tunnel-Medium-Type = IEEE-802,<br> Tunnel-Private-Group-ID = 603,<br></pre><tt> Reply-Message = "User
</tt><tt>%{%{Stripped-User-Name}:-%{User-Name}} authenticated for ResNet
access
</tt><tt>on NAS:%{%{NAS-Identifier}:-Uknown NAS}
</tt><tt>SSID:%{%{Called-Station-SSID}:-none}.",
</tt><pre style="margin: 0em;"> HP-IP-FILTER-RAW = 'deny in 41 from any to any',<br> HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.1',<br> HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.2',<br>
HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.3',<br> HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.4',<br> HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.5',<br>
Fall-Through = no<br><br>Ends up being sent as the response:<br><br># server default-inner<br> PEAP: Got tunneled reply RADIUS code 2<br> Service-Type = Framed-User<br> Framed-MTU = 1480<br> Framed-Routing = None<br>
Framed-Protocol = PPP<br> Framed-Compression = Van-Jacobson-TCP-IP<br> Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "603"<br></pre><tt> Reply-Message = "User ac221 authenticated for ResNet access
on
</tt><tt>NAS:hp-e-engg1-1-dev-8021x-sw1 SSID:none."
</tt><pre style="margin: 0em;"> HP-Ip-Filter-Raw = "deny in 41 from any to any"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.1"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.2"<br>
HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.3"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.4"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.5"<br> EAP-Message = 0x03490004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "ac221"<br> PEAP: Processing from tunneled session code 0x845cb10 2<br> Service-Type = Framed-User<br> Framed-MTU = 1480<br> Framed-Routing = None<br>
Framed-Protocol = PPP<br> Framed-Compression = Van-Jacobson-TCP-IP<br> Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "603"<br></pre><tt> Reply-Message = "User ac221 authenticated for ResNet access
on
</tt><tt>NAS:hp-e-engg1-1-dev-8021x-sw1 SSID:none."
</tt><pre style="margin: 0em;"> HP-Ip-Filter-Raw = "deny in 41 from any to any"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.1"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.2"<br>
HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.3"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.4"<br> HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.5"<br> EAP-Message = 0x03490004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "ac221"<br> PEAP: Tunneled authentication was successful.<br> rlm_eap_peap: SUCCESS<br> Saving tunneled attributes for later<br><br>
So when it's actually used in the Access-Accept packet it appears as:<br><br>Sending Access-Accept of id 173 to 139.184.8.16 port 1024<br> Service-Type = Framed-User<br> Framed-MTU = 1480<br> Framed-Routing = None<br>
Framed-Protocol = PPP<br> Framed-Compression = Van-Jacobson-TCP-IP<br> Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "603"<br> HP-Ip-Filter-Raw = "deny in 41 from any to any"<br>
User-Name = "<a href="mailto:ac221@sussex.ac.uk">ac221@sussex.ac.uk</a>"<br> MS-MPPE-Recv-Key = 0xdec383f4a269cb3d8fcf59cd9e351971c3a9a3683a7c245144a0b852634c7a03<br> MS-MPPE-Send-Key = 0xb9f49bba9f9020deaa745c6ea0e8f5b92e72e2fc5b6465aed4a9231f10edd696<br>
EAP-Message = 0x034a0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>Finished request 9.<br><br>What's really weird is in the previous rounds of EAP, the attributes retain the += operator, it's only in the one where the EAP-Success message is returned where all the operators are stripped out.<br>
<br><br>Relevant EAP bits:<br><br>eap {<br> ...<br> ttls {<br> ...<br> copy_request_to_tunnel = yes<br> use_tunneled_reply = yes<br> virtual_server = "default-inner"<br> }<br>}<br><br>Thanks,<br>Arran<br></pre>
<br>