On 27/05/2021 16:00, Matteo Raffa wrote:
Specifically, I have set Tunnel-Private-Group-ID on LDAP for each user, so I need to pass this together with Tunnel-Type := 13 and Tunnel-Medium-Type := 6.
OK
At this point I went in inner-tunnel in post-auth and tried to have the above mentioned attributes passed to outer reply
# # Instead of "use_tunneled_reply", change this "if (0)" to an # "if (1)". # if (1) { # # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY Tunnel-Type := 13 Tunnel-Medium-Type := 6 Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID }
This is for deleting attributes that are in the inner tunnel and should not be in the reply. You could set Tunnel-Type and Tunnel-Medium-Type here, but the last line is a no-op.
# # Copy the inner reply attributes to the outer # session-state list. The post-auth policy will take # care of copying the outer session-state list to the # outer reply. # update { &outer.session-state: += &reply: }
Your last debug doesn't show this. Have you removed it? It copies the inner tunnel reply into the session-state list. The outer post-auth then copies the session-state list into the final reply.
}
And that’s where I start to get errors (see the second debug log). The update outer session-state block returns this error: ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context I tried to sort that out and did various tests for the past day, but I really couldn’t understand what that is due to.
That's because you are testing against the inner tunnel directly, so there is no "outer" to copy to.
I get the same error even if I remove the attribute assignment from ldap module and keep the default in update reply block in inner tunnel (so without the Tunnel-* stuff I added), so I can’t really understand where it comes from.
Use e.g. eapol_test to send debug requests to the main virtual server on port 1812, rather than radtest to the inner tunnel.
It seems that the problem only arise when the reply gets copied to the outer session-state, in fact, if I comment that update block out, the inner-tunnel reply is correctly built and sent with Access-Accept (See third debug log).
Can you point me in the right direction?
Make sure the session-state stuff is still there, bot in the inner-tunnel and in post-auth section of the outer server. Send tests to the outer virtual server, not the inner. Then it will work. -- Matthew