FW: Session Resumption fails
Alexander Clouter
alex at digriz.org.uk
Fri Sep 24 17:44:28 CEST 2010
Hi,
* Panagiotis Georgopoulos <panos at comp.lancs.ac.uk> [2010-09-24 16:09:18+0100]:
>
> I am resending this to the list as the debugging output was more
> than 100KB and the message was rejected.
>
> Alexander who was copied in my email, kindly provided feedback
> already. In short, "use_tunneled_reply = yes" should be able to solve
> the problem with session resumption in FR 2.1.10, although I
> understand that break the end client's privacy as it reveals its
> identity to the NAS.
>
Trivially solved with some unlang. You actually need the User-Name in
the outer layer, otherwise you would be unable to do any user-based
authorisation (if that sort of thing is important).
> When I test it I'll get back to you as I am guessing this interests
> more people.
>
In your 'post-auth' section add (and have some CUI action too):
----
post-auth {
....
if ((request:Chargeable-User-Identity)) {
update reply {
# md5(cui_hash_key + user at realm)
Chargeable-User-Identity := "%{md5:%{config:local.MY.cui_hash_key}%{reply:User-Name}}"
}
if (request:Chargeable-User-Identity != "\\000") {
if (request:Chargeable-User-Identity != reply:Chargeable-User-Identity) {
update reply {
Reply-Message := "CUI Mismatch"
}
reject
}
}
}
# protect the guilty
update reply {
User-Name !* ANY
}
....
}
----
Cheers
--
Alexander Clouter
.sigmonster says: I brought my BOWLING BALL -- and some DRUGS!!
More information about the Freeradius-Users
mailing list