Multiple instances of attribute in tunnelled reply

sunhualing sunhualing at gmail.com
Tue Apr 13 09:30:47 CEST 2010 

Hello everyone:
     I am using a freeradius-2.1.8, with eap-ttls mschap v2. I happen to get
a problem that some attribute missing in the
Access-Accept message, while it appears in the first Access-Challenge
message. I still find that those attributes appear
 tunneled reply , i use the debug mode.
   Search the mail list , i find that similiar problem appears two years
ago, here is the mail.
   Any suggestion is welcome, thanks a log
  sunhualing



Hi,

We formulate our reply inside of the virtual server dealing with EAP and send
it back to the outer server. This is the only way I could think of to insert
the Inner identity into the Access-Accept. It all works fine... however it
seems there's a bug when dealing with multiple instances of the same
attribute.

For example:

users / sql

DEFAULT Service-Type == Framed-User, Realm == 'local', SS-Flags =~
"^.1........$"


               Tunnel-Type = VLAN,
               Tunnel-Medium-Type = IEEE-802,
               Tunnel-Private-Group-ID = 603,

Reply-Message = "User %{%{Stripped-User-Name}:-%{User-Name}} authenticated
for ResNet access on NAS:%{%{NAS-Identifier}:-Uknown NAS}
SSID:%{%{Called-Station-SSID}:-none}.",


               HP-IP-FILTER-RAW = 'deny in 41 from any to any',
               HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.1',
               HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.2',
               HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.3',
               HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.4',
               HP-IP-FILTER-RAW += 'permit in ip from any to 10.0.8.5',
               Fall-Through = no

Ends up being sent as the response:

# server default-inner
 PEAP: Got tunneled reply RADIUS code 2
   Service-Type = Framed-User
   Framed-MTU = 1480
   Framed-Routing = None
   Framed-Protocol = PPP
   Framed-Compression = Van-Jacobson-TCP-IP
   Tunnel-Type:0 = VLAN
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "603"

Reply-Message = "User ac221 authenticated for ResNet access on
NAS:hp-e-engg1-1-dev-8021x-sw1
SSID:none."

   HP-Ip-Filter-Raw = "deny in 41 from any to any"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.1"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.2"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.3"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.4"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.5"
   EAP-Message = 0x03490004
   Message-Authenticator = 0x00000000000000000000000000000000
   User-Name = "ac221"
 PEAP: Processing from tunneled session code 0x845cb10 2
   Service-Type = Framed-User
   Framed-MTU = 1480
   Framed-Routing = None
   Framed-Protocol = PPP
   Framed-Compression = Van-Jacobson-TCP-IP
   Tunnel-Type:0 = VLAN
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "603"

Reply-Message = "User ac221 authenticated for ResNet access on
NAS:hp-e-engg1-1-dev-8021x-sw1
SSID:none."

   HP-Ip-Filter-Raw = "deny in 41 from any to any"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.1"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.2"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.3"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.4"
   HP-Ip-Filter-Raw = "permit in ip from any to 10.0.8.5"
   EAP-Message = 0x03490004
   Message-Authenticator = 0x00000000000000000000000000000000
   User-Name = "ac221"
 PEAP: Tunneled authentication was successful.
 rlm_eap_peap: SUCCESS
 Saving tunneled attributes for later

So when it's actually used in the Access-Accept packet it appears as:

Sending Access-Accept of id 173 to 139.184.8.16 port 1024
	Service-Type = Framed-User
	Framed-MTU = 1480
	Framed-Routing = None
	Framed-Protocol = PPP
	Framed-Compression = Van-Jacobson-TCP-IP
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "603"
	HP-Ip-Filter-Raw = "deny in 41 from any to any"
	User-Name = "ac221 at sussex.ac.uk"
	MS-MPPE-Recv-Key =
0xdec383f4a269cb3d8fcf59cd9e351971c3a9a3683a7c245144a0b852634c7a03
	MS-MPPE-Send-Key =
0xb9f49bba9f9020deaa745c6ea0e8f5b92e72e2fc5b6465aed4a9231f10edd696
	EAP-Message = 0x034a0004
	Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.

What's really weird is in the previous rounds of EAP, the attributes
retain the += operator, it's only in the one where the EAP-Success
message is returned where all the operators are stripped out.


Relevant EAP bits:

eap {
	...
	ttls {
		...
		copy_request_to_tunnel = yes
		use_tunneled_reply = yes
		virtual_server = "default-inner"
	}
}

Thanks,
Arran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100413/4f8c1944/attachment.html>

More information about the Freeradius-Users mailing list