Updating Reply-Message in the inner-tunnel then reject-ing

Bob Franklin rcf34 at cam.ac.uk
Tue Mar 9 10:51:11 CET 2010


Hello (again),

To aid debugging, I'm adding some Reply-Message values to upon rejection, 
to indicate why we rejected it, in some obvious cases.

In the authorize stanza of the inner-tunnel virtual server, I can do:

   update reply {
     Reply-Message := '[cam.ac.uk] Inner identity in invalid format'
   }

... this updates the Reply-Message in the inner-tunnel (so 
'%{reply:Reply-Message}' returns this message) and appears to propagate 
back out of the tunnel as '%{reply:Reply-Message}' is set to the same 
thing outside it (i.e. back in the 'default' server), in the case of 
intermediate challenges and the final 'Access-Accept'.


However, if I do this and then issue 'reject' to deny the login, the 
Reply-Message doesn't seem to get out of the inner-tunnel and 
'%{reply:Reply-Message}' outside it is empty.  I've tried 'update 
outer.reply { ... }' and that doesn't work, either.  I presume it also 
wouldn't get out to clients, either.

Is this a bug (this is 2.1.6) or am I doing this wrong?

   - Bob


-- 
  Bob Franklin <rcf34 at cam.ac.uk>              +44 1223 748479
  Network Division, University of Cambridge Computing Service



More information about the Freeradius-Users mailing list