3.0.x: Session resumption and CUI calculation

Alan DeKok aland at deployingradius.com
Tue Feb 11 16:22:53 CET 2014

Stefan Winter wrote:
> so, now that session resumption works, there seems to be an error in the
> calculation of Chargeable-User-Identity in the *reauth* of tunneled
> methods (tried PEAP).

  Why re-calculate it?  It should be cached and replayed from the cache.

  I'll add CUI to the cache.  Ideally, the cache entries should be
configurable.  Patches are welcome. :)

> so during reauth time, the username to be used is known prior to the
> calculation of the reauth CUI.
> And yet:
> expand: "%{sha1:changeme%{tolower:%{User-Name}}%{%{Operator-Name}:-}}"
> -> 'ad40aca101096cde0ce27b387939e4c76d8234ca'
> This is not what one needs.

  The debug output should show the expansion of the User-Name and
Operator-Name.  That will let you know what's going on.

> I wonder how to correctly reference the "inner" User-Name. Since there
> is no phase 2 (but a fake attribute list for that phase 2) would
> inner.User-Name work? Or use reply:User-Name explicitly?

  You'll have to copy the inner User-Name to the outer reply.  Perhaps
as another attribute.

> One of those two should fix the situation if writing
> "%{sha1:changeme%{tolower:%{%{reply:User-Name}:-%{User-Name}}}%{%{Operator-Name}:-}}"
> The reply (or maybe inner) part of it would work for the retrieved fake
> phase2 id, and for methods with no tunnel at all (say EAP-TLS) it would
> get expanded to the normal User-Name as before.


> Is my argumentation sound? And the fix reasonable?

  If it works.

  Honestly, it's easier to just cache the CUI.

  Alan DeKok.

More information about the Freeradius-Devel mailing list