Multi-packet session state will be in version 3.0.5
The server has historically had problems dealing with authentication conversations that cross multiple packets. The existing "use_tunnel_reply" feature in TTLS and PEAP help, but aren't perfect. The behavior is not clear, and it's easy to get the configuration wrong. Version 3.0.5 fixes this problem. You can now do: authorize { ... update session-state { attributes ... } } These attributes are automatically cached when the server sends an Access-Challenge. They are automatically retrieved when the server receives an Access-Request. They are automatically deleted when the server sends an Access-Accept or Access-Reject. This means that the "inner-tunnel" server can now do: update outer.session-state { ... } And the final Access-Accept can be updated by the following code: post-auth { ... update { reply += session-state } } This feature should hopefully be simpler (and better) than the previous configurations. The code is available now in the v3.0.x branch in git. Please try it before 3.0.5 is released! Alan DeKok.
On 31 Oct 2014, at 11:12, Alan DeKok <aland@deployingradius.com> wrote:
The server has historically had problems dealing with authentication conversations that cross multiple packets. The existing "use_tunnel_reply" feature in TTLS and PEAP help, but aren't perfect. The behavior is not clear, and it's easy to get the configuration wrong.
It's also useful for rolling your own OTP systems, where the NAS does multiple rounds to send over the password and OTP token.
post-auth { ... update { reply += session-state } }
Hm, that syntax will likely generate warnings, I think this represents current best practice. post-auth { ... update { &reply: += &session-state: } } The colons can be omitted, it just makes it clearer it's a list to list copy. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (2)
-
Alan DeKok -
Arran Cudbard-Bell