3.0.x: Session resumption and CUI calculation

Stefan Winter stefan.winter at restena.lu
Tue Feb 11 09:36:59 CET 2014


so, now that session resumption works, there seems to be an error in the
calculation of Chargeable-User-Identity in the *reauth* of tunneled
methods (tried PEAP).

Here is a full -Xxx debug log to show the xlat parser sequence:


The input in both the auth and re-auth is an Access-Request with
Operator-Name = "1restena.lu"
User-Name (outer) = "availability-test at education.lu"

In phase 2 during auth, the actual inner User-Name is then
"test.eduroam at education.lu". This is correctly memorised by the session
cache logic.

At first auth:

The (default) salt "changeme", the inner User-Name and the Operator-Name
value trigger the calculation and returning of CUI.
The calculated value is

Chargeable-User-Identity = '5a91e08fc9760dca96a311ccb333e2b8737ad600'

which I think is correct.

During re-auth, I see the line:

eap_peap : Adding cached attributes for session
        User-Name = 'test.eduroam at education.lu'

so during reauth time, the username to be used is known prior to the
calculation of the reauth CUI.

And yet:

expand: "%{sha1:changeme%{tolower:%{User-Name}}%{%{Operator-Name}:-}}"
-> 'ad40aca101096cde0ce27b387939e4c76d8234ca'

This is not what one needs.

I suspect that this construct uses the request:User-Name
(availability-test at education.lu) instead of the retrieved session's
(test.eduroam at education.lu).

I wonder how to correctly reference the "inner" User-Name. Since there
is no phase 2 (but a fake attribute list for that phase 2) would
inner.User-Name work? Or use reply:User-Name explicitly?

One of those two should fix the situation if writing


The reply (or maybe inner) part of it would work for the retrieved fake
phase2 id, and for methods with no tunnel at all (say EAP-TLS) it would
get expanded to the normal User-Name as before.

Is my argumentation sound? And the fix reasonable?


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140211/795687dd/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140211/795687dd/attachment.pgp>

More information about the Freeradius-Devel mailing list