Having 2 User-Name when using Session Resumption

Panagiotis Georgopoulos panos at comp.lancs.ac.uk
Fri Nov 19 15:29:57 CET 2010

Hello all,

	I am experiencing the following problem when using EAP-TLS and
session resumption. When my client tries to authenticate for the 2nd time
and FR recognizes that it has a valid session for it, it goes on and adds a
cached attribute to the reply (User-Name) thus ending up with two User-Name
attributes in my packet reply to NAS. 

       Debug: SSL Connection Established
       Debug: SSL Application Data
       Info: [tls] eaptls_process returned 3
       Info: [tls] Retrieved session data from cached session
       Info: [tls] Adding cached attributes to the reply: User-Name =
"anonymous at myisp2.com"
       Info: [eap] Freeing handler
       Info: ++[eap] returns ok
       Auth: Login OK: [anonymous at myisp2.com] (from client
my_proxy_AAAServer1 port 1 cli 00-1B-2F-29-00-99)
       Info: # Executing section post-auth from file
       Info: +- entering group post-auth {...}
       Info: ++[exec] returns noop
Sending Access-Accept of id 23 to 2001:db95::100 port 1814
	User-Name = "anonymous at myisp2.com"
	User-Name = "anonymous at myisp2.com"
	MS-MPPE-Recv-Key =
	MS-MPPE-Send-Key =
	EAP-Message = 0x03c90004
	Message-Authenticator = 0x00000000000000000000000000000000
	Proxy-State = 0x34

       How could I check if my reply has two User-Name attributes and remove
one? I am guessing that I should add some code in my post-auth..
       Thanks a lot in advance,

PS. in order for session resumption to work on EAP-TLS I am having an update
reply { User-Name = "%{request:User-Name}"} section at the end of my auth
stanza of default which explains why it is not surprising to have the first
instance of User-Name there when FR decides to add cached attributes... (if
I don't have this update reply code SR doesn't work in EAP-TLS)

More information about the Freeradius-Users mailing list