question about session resumption and reply attributes

Arran Cudbard-Bell a.cudbard-bell at sussex.ac.uk
Thu May 21 10:46:41 CEST 2009


Hi,
>> No. You should be running through your authorisation policies on
>> session resumption. All policies should be moved to the post-auth
>> section of the outer server.
>>     
>
> but only the inner server knows the real id etc ?
>   
Yes, so have it tell the outer server... Insert the (attached) snippet
into the authorize section of the inner server.

There's an issue where outer.reply items aren't merged with the reply
when doing EAP-TTLS-MSCHAPv2. So you still have to have
'use_tunneled_reply' set to yes.

I believe the User-Name attribute in outer.reply is cached, and
available for use on session resumption. So just:

Auth-Type EAP {
    eap
    if(ok && "%{reply:User-Name}"){
        update request {
            User-Name := "%{reply:User-Name}"
        }
    }
}

Once you've got the policies moved to post-auth, then any scripts or
lookups used for authorisation will only be run once, so far greater
efficiency with complex policies. Rejects are still handled properly
even within the Post-Auth section (jumps to Post-Auth-Type reject).

Arran
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: inner.authorize.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090521/80ba6aca/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090521/80ba6aca/attachment.pgp>


More information about the Freeradius-Users mailing list