Having 2 User-Name when using Session Resumption

Fri Nov 19 16:27:26 CET 2010

Well, just to answer my own question really.. I 've been messing about with
it all morning, trying to figure out where exactly should I put my code to
check for duplicate User-Name attributes and how could I implement removing
only one, but in fact after sending the email to the list I realized that I
could go to post-auth and remove all User-Name attributes and add one, with
the following : 

	update reply { 
		User-Name !* 0x00
		User-Name = "%{request:User-Name}"
	}

It's not pretty, but it does the job! Now all I have to do is do more
testing to see if it affects other things...

Cheers,
Panos

> -----Original Message-----
> From: freeradius-users-
> bounces+panos=comp.lancs.ac.uk at lists.freeradius.org [mailto:freeradius-
> users-bounces+panos=comp.lancs.ac.uk at lists.freeradius.org] On Behalf Of
> Panagiotis Georgopoulos
> Sent: 19 November 2010 14:30
> To: freeradius-users at lists.freeradius.org
> Subject: Having 2 User-Name when using Session Resumption
> 
> Hello all,
> 
> 	I am experiencing the following problem when using EAP-TLS and
> session resumption. When my client tries to authenticate for the 2nd
> time
> and FR recognizes that it has a valid session for it, it goes on and
> adds a
> cached attribute to the reply (User-Name) thus ending up with two User-
> Name
> attributes in my packet reply to NAS.
> 
>        Debug: SSL Connection Established
>        Debug: SSL Application Data
>        Info: [tls] eaptls_process returned 3
>        Info: [tls] Retrieved session data from cached session
>        Info: [tls] Adding cached attributes to the reply: User-Name =
> "anonymous at myisp2.com"
>        Info: [eap] Freeing handler
>        Info: ++[eap] returns ok
>        Auth: Login OK: [anonymous at myisp2.com] (from client
> my_proxy_AAAServer1 port 1 cli 00-1B-2F-29-00-99)
>        Info: # Executing section post-auth from file
> /usr/local/etc/raddb/sites-enabled/default
>        Info: +- entering group post-auth {...}
>        Info: ++[exec] returns noop
> Sending Access-Accept of id 23 to 2001:db95::100 port 1814
> 	User-Name = "anonymous at myisp2.com"
> 	User-Name = "anonymous at myisp2.com"
> 	MS-MPPE-Recv-Key =
> 0x40a71fc0b17fd5ce0bee1cfc06ebf8c48a6d37aa710c436a1da4aa3459a22007
> 	MS-MPPE-Send-Key =
> 0x54ef81d0a961dda08062bb5e9f433a289f3b6628622122b0314a758abacacce2
> 	EAP-Message = 0x03c90004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	Proxy-State = 0x34
> 
>        How could I check if my reply has two User-Name attributes and
> remove
> one? I am guessing that I should add some code in my post-auth..
> 
>        Thanks a lot in advance,
>        Panos
> 
> 
> PS. in order for session resumption to work on EAP-TLS I am having an
> update
> reply { User-Name = "%{request:User-Name}"} section at the end of my
> auth
> stanza of default which explains why it is not surprising to have the
> first
> instance of User-Name there when FR decides to add cached attributes...
> (if
> I don't have this update reply code SR doesn't work in EAP-TLS)
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html