On Jul 24, 2019, at 11:13 AM, Jan-Frederik Rieckers <rieckers+freeradius-devel@uni-bremen.de> wrote:
Thanks for the quick reply!
Try getting that level of support from Cisco. :)
I assume the fix was pushed in the commit "handle Access-Challenge responses" ?
Yes.
If so, it still has problems proxying Access-Challenge packets. See debug output and configuration below.
If you're running that code, you don't need to manually set the reply packet type. It should just work.
Regarding the linelog module: If I use %{reply:Packet-Type} as message selector, this variable seems to be empty. (I haven't tested that with the current master, only the one from yesterday)
Hmm.. I'll have to try that. We're using the linelog module a lot, and it seems to work fine.
(PS: Whenever I shoud stop using freeradius-devel for this and use freeradius-users or Github Issues, please tell me.)
It's fine to talk here.
Debug : (0) Received Access-Challenge ID 11 length 73 reply packet on connection proto udp local 0.0.0.0 port 56773 remote 10.11. 0.216 port 2084 Debug : (0) &EAP-Message = 0x010100061520 Debug : (0) &Message-Authenticator = 0xaa2410363e4546fcad585a1bb568af94 Debug : (0) &State = 0x57487590574960fe50542e3cd559b240 Debug : (0) &Proxy-State = 0x30 Debug : (0) &Proxy-State = 0x45ad4539 Debug : radsec1 - Setting idle timeout to +300.000 for connection proto udp local 0.0.0.0 port 56773 remote 10.11.0.216 port 2084 Debug : (0) running request Debug : (0) radsec1 - Resuming execution Debug : (0) radsec1 (updated) Debug : (0) } # group (updated)
That's good
Debug : (0) if (updated) { Debug : (0) update reply { Debug : (0) &Packet-Type := Access-Challenge Debug : (0) } # update reply (noop) Debug : (0) } # if (updated) (noop) Debug : (0) } # authenticate proxy-to-radsec (noop)
That's bad. The "noop' return code shouldn't over-ride the "updated" one. In the short term, you can do: authenticate proxy-to-radsec { redundant { radsec1 radsec2 } if (updated) { update reply { &Packet-Type := Access-Challenge } ok } } And that should fix it. Alan DeKok.