How to Remove Framed-MTU from Access-Accept in PEAP Authentication
Hi! I noticed that when performing PEAP authentication using FreeRADIUS, an unintended "Framed-MTU" attribute is included in the Access-Accept. Could you please advise on how to remove this "Framed-MTU" from the Access-Accept? After some investigation, I found that adding the following code at the beginning of the post-auth section allows for its removal: ========================================================================== sites-enabled/default.in<http://default.in/> ----- post-auth { + if ( &session-state:Framed-MTU ) { + update session-state { + &Framed-MTU !* ANY + } + } ========================================================================== Is this method correct? Additionally, is there a simpler and safer way to remove the "Framed-MTU"? Thank you for your assistance. Please find the debug log below for your reference. Due to email size constraints, I have included an excerpt in the email. For the full log, please refer to the attached FreeRadiusv3_2_7_PEAP_Accept.log. ========================================================================== FreeRADIUS Version 3.2.7 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/totp including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including configuration file /usr/local/etc/raddb/mods-enabled/exec including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/rfc7542 including configuration file /usr/local/etc/raddb/policy.d/accounting including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (10) Received Access-Request Id 10 from 10.27.51.116:57794 to 10.27.253.187:1812 length 181 (10) User-Name = "testuser" (10) NAS-IP-Address = 127.0.0.1 (10) Calling-Station-Id = "02-00-00-00-00-01" (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) EAP-Message = 0x02db002e1900170303002310158c7451c89b82dd9648b451912651938c789a7c0457355d16f4c534c4ececc8d968 (10) State = 0xb7ba80b5be61993f874d82a0836e8f2a (10) Message-Authenticator = 0x6fdfa7aec2e249db346658bdd5d27b5b (10) Restoring &session-state (10) &session-state:Framed-MTU = 994 (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (10) &session-state:TLS-Session-Version = "TLS 1.2" (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "testuser", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 219 length 46 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Removing EAP session with state 0xb7ba80b5be61993f (10) eap: Previous EAP request found for state 0xb7ba80b5be61993f, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Success (10) eap: Sending EAP Success (code 3) ID 219 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (10) post-auth { (10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (10) update { (10) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHello' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Certificate' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, Finished' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 ChangeCipherSpec' (10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Finished' (10) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (10) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (10) } # update = noop (10) [exec] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) if (EAP-Key-Name && &reply:EAP-Session-Id) { (10) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (10) } # post-auth = noop (10) Sent Access-Accept Id 10 from 10.27.253.187:1812 to 10.27.51.116:57794 length 176 (10) MS-MPPE-Recv-Key = 0x608f9a06f91c5f0e78718d27476ba06fd7f1bcf07327ba08e25eff6a611ac05b (10) MS-MPPE-Send-Key = 0xb34c7fbf7ee95be27291e9949dd47b3cbd9bb9e933ebe2a518adc990d5bf854c (10) EAP-Message = 0x03db0004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = "testuser" (10) Framed-MTU += 994 (10) Finished request Waking up in 4.9 seconds. EXIT(2) CALLED src/main/radiusd.c[792] ==========================================================================
On May 1, 2025, at 6:24 PM, 早川 拓人 <Takuto.Hayakawa@soliton.co.jp> wrote:
I noticed that when performing PEAP authentication using FreeRADIUS, an unintended "Framed-MTU" attribute is included in the Access-Accept. Could you please advise on how to remove this "Framed-MTU" from the Access-Accept?
After some investigation, I found that adding the following code at the beginning of the post-auth section allows for its removal:
Yes, that works.
========================================================================== sites-enabled/default.in<http://default.in/> -----
post-auth { + if ( &session-state:Framed-MTU ) { + update session-state { + &Framed-MTU !* ANY + } + } ==========================================================================
Is this method correct? Additionally, is there a simpler and safer way to remove the "Framed-MTU"?
Thank you for your assistance.
Please find the debug log below for your reference. Due to email size constraints, I have included an excerpt in the email. For the full log, please refer to the attached FreeRadiusv3_2_7_PEAP_Accept.log.
If you post the debug output as text, there's no issue. You had multiple messages to the list rejected because you were posting it as HTML, and then also attaching more files to the message. The documentation says to post text to the list. The debug output for one PEAP authentication is fairly small, and won't reach anywhere near the limits of the list. Alan DeKok.
I noticed that when performing PEAP authentication using FreeRADIUS, an unintended "Framed-MTU" attribute is included in the Access-Accept. Could you please advise on how to remove this "Framed-MTU" from the Access-Accept?
After some investigation, I found that adding the following code at the beginning of the post-auth section allows for its removal:
Yes, that works.
Thank you very much for your response — it was extremely helpful.
If you post the debug output as text, there's no issue. You had multiple messages to the list rejected because you were posting it as HTML, and then also attaching more files to the message.
The documentation says to post text to the list. The debug output for one PEAP authentication is fairly small, and won't reach anywhere near the limits of the list.
I hadn’t realized that my email was being sent in HTML format. I’ve now updated the settings, so I believe this message should be fine. Thank you again for kindly pointing that out. Best regards, /hayakawa
2025/05/02 19:14、Alan DeKok <aland@deployingradius.com>のメール:
On May 1, 2025, at 6:24 PM, 早川 拓人 <Takuto.Hayakawa@soliton.co.jp> wrote:
I noticed that when performing PEAP authentication using FreeRADIUS, an unintended "Framed-MTU" attribute is included in the Access-Accept. Could you please advise on how to remove this "Framed-MTU" from the Access-Accept?
After some investigation, I found that adding the following code at the beginning of the post-auth section allows for its removal:
Yes, that works.
========================================================================== sites-enabled/default.in<http://default.in/> -----
post-auth { + if ( &session-state:Framed-MTU ) { + update session-state { + &Framed-MTU !* ANY + } + } ==========================================================================
Is this method correct? Additionally, is there a simpler and safer way to remove the "Framed-MTU"?
Thank you for your assistance.
Please find the debug log below for your reference. Due to email size constraints, I have included an excerpt in the email. For the full log, please refer to the attached FreeRadiusv3_2_7_PEAP_Accept.log.
If you post the debug output as text, there's no issue. You had multiple messages to the list rejected because you were posting it as HTML, and then also attaching more files to the message.
The documentation says to post text to the list. The debug output for one PEAP authentication is fairly small, and won't reach anywhere near the limits of the list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
早川 拓人