On Fri, 27 Apr 2018 at 19:20, Alan DeKok <aland@deployingradius.com> wrote: Use a database.
If I will be using database, how I can track users, I mean how to get session id?
The code *should* clear session-state only after running the post-auth section.
I think what's happening is that it's using the outer State attribute inside of the inner tunnel. So when the inner tunnel returns Access-Reject, the session-state is cleared. Which just happens to be the same state as for the outer session.
I think the solution is to just not delete the session state when inside the inner-tunnel. It will be deleted in the outer tunnel anyways, so that should work.
I am not using any special instruction in configuration to clear session-state. There are parts from configuration. I stripped down linelog instructions. from inner tunnel config: -------------- post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy {} post-proxy { eap } } -------------- from outer tunnel config: -------------- post-auth { exec remove_reply_message_if_eap linelog `...` Post-Auth-Type REJECT { update control { Some-Attribute := &session-state:Some-Attribute } attr_filter.access_reject eap linelog `...` remove_reply_message_if_eap } } pre-proxy { } post-proxy { update control { Some-Attribute := &session-state:Some-Attribute } eap } } -------------- To debug, when session-state list is cleared I added in fr_state_discard() function debug message ">>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<<" and there is a log. Again, I stripped down linelog output. -------------- (6) Received Access-Reject Id 100 from 172.20.0.5:1812 to 172.20.0.6:42957 length 23 (6) Proxy-State = 0x36 (6) # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/testing-stie (6) post-proxy { (6) update control { (6) Some-Attribute := &session-state:Some-Attribute -> 'testing_remote' (6) } # update control = noop (6) eap: Doing post-proxy callback (6) eap: Passing reply from proxy back into the tunnel (6) eap: Got tunneled Access-Reject (6) eap: Reply was rejected (6) eap: Failed in post-proxy callback (6) eap: Sending EAP Failure (code 4) ID 6 length 4 (6) [eap] = reject (6) } # post-proxy = reject (6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<< (6) Using Post-Auth-Type Reject (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/testing-stie (6) Post-Auth-Type REJECT { (6) update control { (6) No attributes updated (6) No attributes updated (6) } # update control = noop (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> anonymous (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) [eap] = noop (6) linelog: EXPAND messages.%{%{Packet-Type}:-default} (6) linelog: --> messages.Access-Request ... (6) EXPAND Some-Attribute=%{%{control:Some-Attribute}:-no}, (6) --> Some-Attribute=testing_remote, (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) } # Post-Auth-Type REJECT = updated (6) >>>>>>>>>>> DISCARDING SESSION-STATE <<<<<<<<<< (6) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. -------------- As you can see debug message shows two times. I think session-states are cleared in this line https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/auth.c#... So just to clarify, If home server return Access-Reject, then Post-Auth-Type REJECT section will not have access to session-state list?