PEAP-MSCHAPv2: Cannot recover attributes from TLS Session Cache

Arran Cudbard-Bell a.cudbardb at
Sat Aug 6 05:47:56 CEST 2016

> On 5 Aug 2016, at 11:36, Brian Julin <BJulin at> wrote:
> Wussler, Doug wrote:
>> Perhaps there is something else I don¹t understand but it does not look
>> like ³use_tunneled_reply² in the eap module is really deprecated.  I can¹t
>> get anything to work without that.
> It's been removed in the 3.2.x devel branch.
> I'm not sure how recent you have to be to get by without it,

Use the outer.session-state list to build the reply, and copy the contents across in post-auth.  It’ll work in v3.0.x too and is less magical.

# Outer
post-auth {
	update {
		&reply: += &session-state:[*]

From an architectural point of view the option was wrong, and was preventing us from moving to a clean design for protocol nesting.

When you proxy to the inner tunnel, what you’re actually doing is decoding the TLVs from the EAP method, and creating a fake request with them, so the reply list from the inner tunnel server should be encoded as EAP method TLVs, it shouldn’t contain any RADIUS attributes, only EAP method attributes.

This is important for things like the SoH module, which can actually run equally well with DHCP or PEAPv0.

In terms of usability improvementsWe could also represent session-state as a request qualifier i.e.


That’d allow all lists to be represented, and maybe the reply to be automatically merged?  Does seem a bit more friendly.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list