Multiple instances of attribute in tunnelled reply
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Wed Apr 23 10:28:10 CEST 2008
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>
>> Hi,
>>
>> We formulate our reply inside of the virtual server dealing with EAP and
>> send it back to the outer server. This is the only way I could think of
>> to insert the Inner identity into the Access-Accept.
>>
>
> ...
> update outer.reply {
> User-Name := "foo"
> }
> ...
>
>
Hmm, it's complicated... there are authorisation issues too.
>> It all works
>> fine... however it seems there's a bug when dealing with multiple
>> instances of the same attribute.
>>
>
> Ah.... the code in "unlang" was fixed to correct this problem. The
> basic API used in the basic RADIUS library wasn't fixed.
>
> Ok... I'll take a look at it when I get back from my current trip.
>
Ok that helps, didn't realise it was fixed in unlang; least I can get
some dynamic ACL testing done.
>
>> What's really weird is in the previous rounds of EAP, the attributes
>> retain the += operator, it's only in the one where the EAP-Success
>> message is returned where all the operators are stripped out.
>>
>
> Yes. "copy everything", versus "merge via operators".
>
>
Yep.
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Thanks,
Arran
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list