TTLS-PAP accounting bug
I was just wondering if the bug from this post has been fixed since 1.1.6: "Re: EAP-TTLS outer identity & accounting" After alot of experimenting & researching, I still haven't found a solution to the TTL anonymous outer identity being used for accounting. I have set a DEFAULT entry that sets the User-Name attribute via ':=', but I still end up with two User-Name attributes (anonymous identity & real identity). This is especially strange, since use_tunneled_reply & copy_request_to_tunnel are both enabled as well. If I understand correctly, := should replace the anonymous (first) User-Name value with the real (second) value permitting they are in the same session. Upon looking back at the debug output, it looks like the tunneled request is actually handled as if it were a seperate request than the one containing it (request->eap module-(unpack)-
new request). This would explain why two User-Name attributes are showing up in the final response. Is there any way to discard the first (anonymous) entry via a module or other method without hacking FR code?
Surely someone has this working. My setup is just basic TTLS-PAP auth'ing against LDAP.
Sam Schultz wrote:
I was just wondering if the bug from this post has been fixed since 1.1.6:
"Re: EAP-TTLS outer identity & accounting"
No. It should be fixed before 1.1.7 is released, though. I'm not sure what changed, or why it's broken. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Sam Schultz wrote:
I was just wondering if the bug from this post has been fixed since 1.1.6:
No. It looks like the fix to make tunneled & proxied MS-CHAP work broke this. i.e. a "pairmove" was turned into a "pairadd". See src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c: ... /* * If we've been told to use the attributes from * the reply, then do so. * * WARNING: This may leak information about the * tunneled user! */ if (t->use_tunneled_reply) { pairdelete(&reply->vps, PW_PROXY_STATE); pairadd(&request->reply->vps, reply->vps); reply->vps = NULL; } ... change the "pairadd" to a "pairmove", and also in rlm_eap_ttls.c: case EAPTLS_SUCCESS: if (t->authenticated) { if (t->reply) { pairadd(&handler->request->reply->vps, t->reply); t->reply = NULL; } ... Change this one, too. If it works, I'll commit a patch. Alan DeKok.
participants (3)
-
Alan Dekok -
Alan DeKok -
Sam Schultz