Stefan Winter wrote:
so, now that session resumption works, there seems to be an error in the calculation of Chargeable-User-Identity in the *reauth* of tunneled methods (tried PEAP).
Why re-calculate it? It should be cached and replayed from the cache. I'll add CUI to the cache. Ideally, the cache entries should be configurable. Patches are welcome. :)
so during reauth time, the username to be used is known prior to the calculation of the reauth CUI.
And yet:
expand: "%{sha1:changeme%{tolower:%{User-Name}}%{%{Operator-Name}:-}}" -> 'ad40aca101096cde0ce27b387939e4c76d8234ca'
This is not what one needs.
The debug output should show the expansion of the User-Name and Operator-Name. That will let you know what's going on.
I wonder how to correctly reference the "inner" User-Name. Since there is no phase 2 (but a fake attribute list for that phase 2) would inner.User-Name work? Or use reply:User-Name explicitly?
You'll have to copy the inner User-Name to the outer reply. Perhaps as another attribute.
One of those two should fix the situation if writing
"%{sha1:changeme%{tolower:%{%{reply:User-Name}:-%{User-Name}}}%{%{Operator-Name}:-}}"
The reply (or maybe inner) part of it would work for the retrieved fake phase2 id, and for methods with no tunnel at all (say EAP-TLS) it would get expanded to the normal User-Name as before.
Maybe.
Is my argumentation sound? And the fix reasonable?
If it works. Honestly, it's easier to just cache the CUI. Alan DeKok.