Minor Bug in TTLS implementation

fabien.marotte at freesurf.fr fabien.marotte at freesurf.fr
Tue May 31 14:14:50 CEST 2005


Hi,

I notice a minor bug in ttls implementation.

I configured my Freeradius server to do ttls exchange with a supplicant
(through a NAS).
This freeradius server proxies tunneled requests to an other radius server.

When the external server replies EAP-Success/Radius-AccessAccept to the
Freeradius proxy, the tunnel is correctly destroyed and the FreeRadius proxy
sends EAP-Success/RADIUS-AccessAccept to the supplicant.

This last message is correct but it contains the PROXY_STATE attribute that
FreeRadius had added during the proxy exchanges.

As it seems that the latest cvs version don't correct this bug, I had done a
correction (in version 1.20) of the ttls.c file, in the process_reply
function after the line 652.
Value pairs of the proxy reply are moved into the reply vps.

The problem is that the PROXY_STATE is still present in proxy reply vps and
is moved with the others.

So I have added these two instructions to remove the PROXY_STATE attribute
in the reply vps:
      pairmove2(&vp, &request->reply->vps, PW_PROXY_STATE);
      pairfree(&vp);


It works but I don't know if it's the best way to correct the bug.

Fabien Marotte





More information about the Freeradius-Devel mailing list