Having 2 User-Name when using Session Resumption
Hello all, I am experiencing the following problem when using EAP-TLS and session resumption. When my client tries to authenticate for the 2nd time and FR recognizes that it has a valid session for it, it goes on and adds a cached attribute to the reply (User-Name) thus ending up with two User-Name attributes in my packet reply to NAS. Debug: SSL Connection Established Debug: SSL Application Data Info: [tls] eaptls_process returned 3 Info: [tls] Retrieved session data from cached session Info: [tls] Adding cached attributes to the reply: User-Name = "anonymous@myisp2.com" Info: [eap] Freeing handler Info: ++[eap] returns ok Auth: Login OK: [anonymous@myisp2.com] (from client my_proxy_AAAServer1 port 1 cli 00-1B-2F-29-00-99) Info: # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default Info: +- entering group post-auth {...} Info: ++[exec] returns noop Sending Access-Accept of id 23 to 2001:db95::100 port 1814 User-Name = "anonymous@myisp2.com" User-Name = "anonymous@myisp2.com" MS-MPPE-Recv-Key = 0x40a71fc0b17fd5ce0bee1cfc06ebf8c48a6d37aa710c436a1da4aa3459a22007 MS-MPPE-Send-Key = 0x54ef81d0a961dda08062bb5e9f433a289f3b6628622122b0314a758abacacce2 EAP-Message = 0x03c90004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x34 How could I check if my reply has two User-Name attributes and remove one? I am guessing that I should add some code in my post-auth.. Thanks a lot in advance, Panos PS. in order for session resumption to work on EAP-TLS I am having an update reply { User-Name = "%{request:User-Name}"} section at the end of my auth stanza of default which explains why it is not surprising to have the first instance of User-Name there when FR decides to add cached attributes... (if I don't have this update reply code SR doesn't work in EAP-TLS)
Well, just to answer my own question really.. I 've been messing about with it all morning, trying to figure out where exactly should I put my code to check for duplicate User-Name attributes and how could I implement removing only one, but in fact after sending the email to the list I realized that I could go to post-auth and remove all User-Name attributes and add one, with the following : update reply { User-Name !* 0x00 User-Name = "%{request:User-Name}" } It's not pretty, but it does the job! Now all I have to do is do more testing to see if it affects other things... Cheers, Panos
-----Original Message----- From: freeradius-users- bounces+panos=comp.lancs.ac.uk@lists.freeradius.org [mailto:freeradius- users-bounces+panos=comp.lancs.ac.uk@lists.freeradius.org] On Behalf Of Panagiotis Georgopoulos Sent: 19 November 2010 14:30 To: freeradius-users@lists.freeradius.org Subject: Having 2 User-Name when using Session Resumption
Hello all,
I am experiencing the following problem when using EAP-TLS and session resumption. When my client tries to authenticate for the 2nd time and FR recognizes that it has a valid session for it, it goes on and adds a cached attribute to the reply (User-Name) thus ending up with two User- Name attributes in my packet reply to NAS.
Debug: SSL Connection Established Debug: SSL Application Data Info: [tls] eaptls_process returned 3 Info: [tls] Retrieved session data from cached session Info: [tls] Adding cached attributes to the reply: User-Name = "anonymous@myisp2.com" Info: [eap] Freeing handler Info: ++[eap] returns ok Auth: Login OK: [anonymous@myisp2.com] (from client my_proxy_AAAServer1 port 1 cli 00-1B-2F-29-00-99) Info: # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default Info: +- entering group post-auth {...} Info: ++[exec] returns noop Sending Access-Accept of id 23 to 2001:db95::100 port 1814 User-Name = "anonymous@myisp2.com" User-Name = "anonymous@myisp2.com" MS-MPPE-Recv-Key = 0x40a71fc0b17fd5ce0bee1cfc06ebf8c48a6d37aa710c436a1da4aa3459a22007 MS-MPPE-Send-Key = 0x54ef81d0a961dda08062bb5e9f433a289f3b6628622122b0314a758abacacce2 EAP-Message = 0x03c90004 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x34
How could I check if my reply has two User-Name attributes and remove one? I am guessing that I should add some code in my post-auth..
Thanks a lot in advance, Panos
PS. in order for session resumption to work on EAP-TLS I am having an update reply { User-Name = "%{request:User-Name}"} section at the end of my auth stanza of default which explains why it is not surprising to have the first instance of User-Name there when FR decides to add cached attributes... (if I don't have this update reply code SR doesn't work in EAP-TLS)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Panagiotis Georgopoulos <panos@comp.lancs.ac.uk> wrote:
Well, just to answer my own question really.. I 've been messing about with it all morning, trying to figure out where exactly should I put my code to check for duplicate User-Name attributes and how could I implement removing only one, but in fact after sending the email to the list I realized that I could go to post-auth and remove all User-Name attributes and add one, with the following :
update reply { User-Name !* 0x00 User-Name = "%{request:User-Name}" }
...or 'User-Name := foobar' Cheers -- Alexander Clouter .sigmonster says: There is no royal road to geometry. -- Euclid
participants (2)
-
Alexander Clouter -
Panagiotis Georgopoulos