FR 3.0.1 + CUI + MS-MPPE-*-Key issues

stefan.paetow at diamond.ac.uk stefan.paetow at diamond.ac.uk
Tue Feb 18 18:16:07 CET 2014 

Hi,

As part of the Moonshot project, I've upgraded my FR to 3.0.1 (plus the MySQL schema and the SQLite API fixes, because both are required here). I've now discovered an issue (I don't know if this is similar to what Stefan Winter raised recently about "Re: 3.0.x: Session resumption and CUI calculation" or not), where I have two scenarios and two items in Access-Accept that need to be there, CUI and the MS-MPPE-*-Key attributes:

1. FR 3.0.1 with use_tunneled_reply = yes, cui-inner.post-auth left as-is.

- auth with pam_gss: CUI present, multiple sets of MS-MPPE-*-Key present. (boo! GSS doesn't like multiple sets!)
- auth with rad_eap_test: CUI present, one set of MS-MPPE-*-Key present. (hooray! I have a CUI!)

2. FR 3.0.1 with use_tunneled_reply = no, cui-inner.post-auth modified to update outer.reply

- auth with pam_gss: CUI present, one set of MS-MPPE-*-Key present. (hooray! GSS now works!)
- auth with rad_eap_test: NO CUI present, one set of MS-MPPE-*-Key present. (boo! No CUI = problem!)

So, my question is, is this intended or unintended behaviour, and if it is unintended, is there anything we can do (with unlang or the like)?

I've compressed the four sets of authentications and parked them here (apologies for that, but I believe the mailing list has an attachment limit): https://www.dropbox.com/s/zvi7x0w3llzlhie/fr301.zip

With Regards

Stefan Paetow
Software Engineer
+44 1235 778812
Diamond Light Source Ltd.
Diamond House, Harwell Science and Innovation Campus
Didcot, Oxfordshire, OX11 0DE



-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

More information about the Freeradius-Users mailing list