Hi! I noticed that when performing PEAP authentication using FreeRADIUS, an unintended "Framed-MTU" attribute is included in the Access-Accept. Could you please advise on how to remove this "Framed-MTU" from the Access-Accept? After some investigation, I found that adding the following code at the beginning of the post-auth section allows for its removal: ========================================================================== sites-enabled/default.in<http://default.in/> ----- post-auth { + if ( &session-state:Framed-MTU ) { + update session-state { + &Framed-MTU !* ANY + } + } ========================================================================== Is this method correct? Additionally, is there a simpler and safer way to remove the "Framed-MTU"? Thank you for your assistance. Please find the debug log below for your reference. Due to email size constraints, I have included an excerpt in the email. For the full log, please refer to the attached FreeRadiusv3_2_7_PEAP_Accept.log. ========================================================================== FreeRADIUS Version 3.2.7 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/totp including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including configuration file /usr/local/etc/raddb/mods-enabled/exec including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/rfc7542 including configuration file /usr/local/etc/raddb/policy.d/accounting including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (10) Received Access-Request Id 10 from 10.27.51.116:57794 to 10.27.253.187:1812 length 181 (10) User-Name = "testuser" (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id = "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) EAP-Message = 0x02db002e1900170303002310158c7451c89b82dd9648b451912651938c789a7c0457355d16f4c534c4ececc8d968 (10) State = 0xb7ba80b5be61993f874d82a0836e8f2a (10) Message-Authenticator = 0x6fdfa7aec2e249db346658bdd5d27b5b (10) Restoring &session-state (10) &session-state:Framed-MTU = 994 (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) &session-state:TLS-Session-Version = "TLS 1.2" (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "testuser", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 219 length 46 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Removing EAP session with state 0xb7ba80b5be61993f (10) eap: Previous EAP request found for state 0xb7ba80b5be61993f, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Success (10) eap: Sending EAP Success (code 3) ID 219 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (10) post-auth { (10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (10) update { (10) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHello' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Certificate' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, Finished' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 ChangeCipherSpec' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Finished' (10) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (10) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (10) } # update = noop (10) [exec] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) if (EAP-Key-Name && &reply:EAP-Session-Id) { (10) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (10) } # post-auth = noop (10) Sent Access-Accept Id 10 from 10.27.253.187:1812 to 10.27.51.116:57794 length 176 (10) MS-MPPE-Recv-Key = 0x608f9a06f91c5f0e78718d27476ba06fd7f1bcf07327ba08e25eff6a611ac05b (10) MS-MPPE-Send-Key = 0xb34c7fbf7ee95be27291e9949dd47b3cbd9bb9e933ebe2a518adc990d5bf854c (10) EAP-Message = 0x03db0004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = "testuser" (10) Framed-MTU += 994 (10) Finished request Waking up in 4.9 seconds. EXIT(2) CALLED src/main/radiusd.c[792] ==========================================================================