rlm_perl added pairs disapear after eap authentication

Alan DeKok aland at deployingradius.com
Thu May 31 15:10:39 CEST 2012 

Peter Kaagman wrote:
> After getting (p)eap an mschap working I'm faced with the following
> problem: The client gets authenticated through mschap and receives an
> Access-Accept but the rlm_perl added pair which where added in request 0
> are not send to the client.

  That's how the server works.  It doesn't cache attributes across
multiple packets.

  You'll need to set the VLAN in the post-auth section.  That's what
it's for.  Setting VLANs in the authorize section won't work.

> I've tried several things to resolve this but with no result. One of
> which was running the perl code in a post-auth event. This resulted in
> something like 250 requests and the client not connecting.,

  Uh.. it *will* work if you do it correctly.  There's no magic.  The
client doesn't know about post-auth versus authorize.

> Two things strike me as odd:
> - There is a warning about 2 auth-types - perl and eap

  Do NOT set "Auth-Type = Perl".  Why are you doing that?

> - Why does the authorization run first? I would have thought
> authentication comes first.

  The server runs authorize, authenticate, and then post-auth.  The
reasons are historical.

> rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl
> rlm_perl: Added pair EAP-Message = 0x020800061a03
> rlm_perl: Added pair State = 0xed1f2576ec173f556982a467baafe64e
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Auth-Type = Perl

  Don't set that.

> [peap] Got tunneled reply code 2
> 	MS-MPPE-Encryption-Policy = 0x00000001
> 	MS-MPPE-Encryption-Types = 0x00000006
> 	MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62
> 	MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c
> 	EAP-Message = 0x03080004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	User-Name = "host/lt-pkn.atlas.atlascollege.nl"

  In which you don't set any additional attributes.

> Sending Access-Accept of id 209 to 10.0.9.48 port 1645
> 	MS-MPPE-Recv-Key =
> 0x33ecfbf5652ce567309f5f2b1710989bd8c1c1ef2e68386139e7c94f2eb06a75
> 	MS-MPPE-Send-Key =
> 0x5c0639908bded95e2a61821743bf72ea714a6acc829016d7c4ce07edfdba4223
> 	EAP-Message = 0x03090004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	User-Name = "host/lt-pkn.atlas.atlascollege.nl"

  And you don't set any additional attributes here.

  Set the attributes in the post-auth section.  It *will* work.

  If it doesn't, you did something wrong.  Show *what* you did, what
happened, and what you expected to see.

  Alan DeKok.

More information about the Freeradius-Users mailing list