Using Session State

Arran Cudbard-Bell a.cudbardb at
Tue Mar 17 21:39:59 CET 2015

> On 17 Mar 2015, at 16:21, Sam Hartman <hartmans at> wrote:
> Hi.
> So, as we've discussed previously, setting use_tunneled_reply is really
> kind of undesirable with methods like mschapv2 that generate their own
> keys.
> Also, it tends to do undesirable things and expose the channel binding
> messages to the outer reply.
> based on the documentation it sounds like I ought to be able to use the
> session-state list to move attributes between the inner tunnel and outer
> tunnel.
> however, in inner-tunnel's post auth section
> update session-state {
> session-state:User-Name = &Request:User-Name
> }
> returns noop.

Yes, unlang constructs don't change the rcode for the section unless there's been an error.

If there are no module calls before it, it will just return the default rcode for the section.

If you did:

update session-state {
	session-state:User-Name = &Request:User-Name

You'd see it return ok.

> First, should session-state work for this purpose?

Yes. I tried this very recently and it works fine.

> If so, what am I doing wrong?

You want update outer.session-state, not update session-state.

You're writing session attributes to the state list associated with original request, not the fake tunnelled one.

So the actual update statement (without the redundant qualifiers) would be:

update outer.session-state {
	&User-Name = &User-Name

Don't know if you need to deal with session resumption in the work you're doing. If you are, probably best to test to make sure everything works as you'd expect. Especially with anonymous outer identities.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Devel mailing list