On 17 Mar 2015, at 16:21, Sam Hartman <hartmans@mit.edu> wrote:
Hi.
So, as we've discussed previously, setting use_tunneled_reply is really kind of undesirable with methods like mschapv2 that generate their own keys. Also, it tends to do undesirable things and expose the channel binding messages to the outer reply.
based on the documentation it sounds like I ought to be able to use the session-state list to move attributes between the inner tunnel and outer tunnel.
however, in inner-tunnel's post auth section
update session-state { session-state:User-Name = &Request:User-Name } returns noop.
Yes, unlang constructs don't change the rcode for the section unless there's been an error. If there are no module calls before it, it will just return the default rcode for the section. If you did: ok update session-state { session-state:User-Name = &Request:User-Name } You'd see it return ok.
First, should session-state work for this purpose?
Yes. I tried this very recently and it works fine.
If so, what am I doing wrong?
You want update outer.session-state, not update session-state. You're writing session attributes to the state list associated with original request, not the fake tunnelled one. So the actual update statement (without the redundant qualifiers) would be: update outer.session-state { &User-Name = &User-Name } Don't know if you need to deal with session resumption in the work you're doing. If you are, probably best to test to make sure everything works as you'd expect. Especially with anonymous outer identities. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2