FW: Session Resumption fails

Alexander Clouter alex at digriz.org.uk
Fri Sep 24 17:44:28 CEST 2010


Hi,

* Panagiotis Georgopoulos <panos at comp.lancs.ac.uk> [2010-09-24 16:09:18+0100]:
>
> I am resending this to the list as the debugging output was more
> than 100KB and the message was rejected. 
> 
> Alexander who was copied in my email, kindly provided feedback 
> already. In short, "use_tunneled_reply = yes" should be able to solve 
> the problem with session resumption in FR 2.1.10, although I 
> understand that break the end client's privacy as it reveals its 
> identity to the NAS.
> 
Trivially solved with some unlang.  You actually need the User-Name in 
the outer layer, otherwise you would be unable to do any user-based 
authorisation (if that sort of thing is important).

> When I test it I'll get back to you as I am guessing this interests 
> more people.
> 
In your 'post-auth' section add (and have some CUI action too):
----
post-auth {
	....

	if ((request:Chargeable-User-Identity)) {
		update reply {
			# md5(cui_hash_key + user at realm)
			Chargeable-User-Identity := "%{md5:%{config:local.MY.cui_hash_key}%{reply:User-Name}}"
		}

		if (request:Chargeable-User-Identity != "\\000") {
			if (request:Chargeable-User-Identity != reply:Chargeable-User-Identity) {
				update reply {
					Reply-Message := "CUI Mismatch"
				}
				reject
			}
		}
	}

	# protect the guilty
	update reply {
		User-Name !* ANY
	}

	....
}
----

Cheers

-- 
Alexander Clouter
.sigmonster says: I brought my BOWLING BALL -- and some DRUGS!!



More information about the Freeradius-Users mailing list