/
Nitin Bhardwaj wrote:
Hi,
Please edit your posts. It's not nice to go through hundreds of lines of garbage in order to read the *real* content of the message. /Alan, I posted the output of "radiusd -X" in the previous message as is the norm on the mailing-list, and replied to the same in last message. That is not a *garbage*, isn't it ?
/
Found out that this works perfectly fine in freeradius 3.0.0 (master git branch).
That's nice to know.
Can anyone please suggest which patches I need to back-port to 2.1.11 to make this work in 2.1.x branch too ?
You can't. The code is *completely* different.
Alan DeKok. /In 2.1.11, I observed that the problem happens when you set "proxy_tunneled_request_as_eap = no" (with "default_eap_type = mschapv2"). Hence it seems the function mschap_postproxy() in rlm_eap_mschapv2.c is somehow wiping off the extra attributes.
Comparing radiusd -X logs of 2.x with 3.x, corroborate this observation: -------------------------< snip-log 2.x >------------------------------- # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server proxy-inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group post-proxy {...} [eap] Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8e86e20 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. } # server proxy-inner-tunnel -------------------------< snip-end >------------------------------- -------------------------< snip-log 3.x >--------------------------- (8) # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default (8) group post-proxy { (8) - entering group post-proxy {...} (8) eap : Doing post-proxy callback (8) eap : Passing reply from proxy back into the tunnel. server proxy-inner-tunnel { (8) eap : Passing reply back for EAP-MS-CHAP-V2 (8) # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel (8) group post-proxy { (8) - entering group post-proxy {...} (8) [eap] = noop (8) WARNING: Empty post-auth section. Using default return values. } # server proxy-inner-tunnel -------------------------< snip-end >------------------------------- In 3.x code, We are returning a RLM_MODULE_NOOP from eap_post_proxy() : 582 /* 583 * Just in case the admin lists EAP in post-proxy-type Fail. 584 */ 585 if (!request->proxy_reply) return RLM_MODULE_NOOP; But we are not doing so in 2.1.11 code. We call the MSCHAPv2 callback, i.e. mschap_postproxy(), which might be wiping off the attributes. So, my question is: will adding this code patch to 2.x code prudent to make it work ? Or we need to fix the mschapv2 handler itself : mschap_postproxy() in rlm_eap_mschapv2.c,so that it retains the extra attributes sent by the RADIUS home server ? Please advise. -- Thanks, Nitin.