PEAP request with EAP-MSCHAPv2 as Phase 2, how to store attribute data.
Hello, I use configuration what can handle PEAP + EAP-MSCHAPv2 as Phase 2 and proxy inner tunnel request to another home server. I need log request with real username (inner identity) and other custom attribute available in inner tunnel phase. For other requests like EAP-TTLS/PAP it is trivial, in authorize section I save attributes of interest to me in control list, because proxy response override reply list. Proxy response set back to inner tunnel and In post-auth section I expand stored attributes and linelog directive do work. Then request type is PEAP + EAP-MSCHAPv2 as Phase 2, proxy save response to "some temporary storage" (Saving tunneled attributes for later) (101) eap: Doing post-proxy callback (101) eap: Passing reply from proxy back into the tunnel (101) eap: Got tunneled reply RADIUS code 2 (101) eap: EAP-Message = 0x03080004 (101) eap: Message-Authenticator = 0x21a9b5e96fc954c7cb0713477905fe5b (101) eap: User-Name = "testing_remote" (101) eap: Proxy-State = 0x38 (101) eap: Tunneled authentication was successful (101) eap: SUCCESS (101) eap: Saving tunneled attributes for later (101) eap: Reply was handled And after that supplicant sent final request. Freeradius clear the control list (checked it with debug_all directive, I am not asking freeradius to do it, it happens automaticly), so I lost my attributes saved in control list. Freeradius continue eap session and restore User-Name to reply list from temporary storage, (102) eap_peap: [eaptls process] = ok (102) eap_peap: Session established. Decoding tunneled attributes (102) eap_peap: PEAP state send tlv success (102) eap_peap: Received EAP-TLV response (102) eap_peap: Success (102) eap_peap: Using saved attributes from the original Access-Accept (102) eap_peap: User-Name = "testing_remote" (102) eap_peap: caching User-Name = "testing_remote" (102) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (102) eap: Sending EAP Success (code 3) ID 9 length 4 (102) eap: Freeing handler tls: Freeing cached session VPs So in post-auth section I have real username, but los my custom attributes stored in control list. (102) EXPAND %{reply:User-Name} (102) --> testing_remote (102) EXPAND %{control:User-Name} (102) --> (102) EXPAND %{User-Name} (102) --> anonymous If is it possible, how I can store my custom attributes to "some temporary storage" to have access to them in the very last stage.
On Nov 9, 2017, at 1:41 PM, work vlpl <thework.vlpl@gmail.com> wrote:
I use configuration what can handle PEAP + EAP-MSCHAPv2 as Phase 2 and proxy inner tunnel request to another home server. I need log request with real username (inner identity) and other custom attribute available in inner tunnel phase. For other requests like EAP-TTLS/PAP it is trivial, in authorize section I save attributes of interest to me in control list, because proxy response override reply list.
That won't work. The "control" list is per-packet. It isn't saved across multiple packets. You need the "session-state" list. See "man unlang", and look for "session-state". Look also for "session-state" in raddb/sites-available/default. That has lots of examples and documentation. If you're running a very old version of 3.0, you will need to upgrade. But if you're running anything after 3.0.6, it should work. Alan DeKok.
participants (2)
-
Alan DeKok -
work vlpl