Vendor attributes not copied to inner tunnel ?
Sylvain Munaut
s.munaut at whatever-company.com
Thu Feb 18 17:44:13 CET 2016
Hi,
I'm in a PEAP setup and trying to match the SSID as part of the group_checks.
This is an example request coming in :
(17) Received Access-Request Id 59 from 192.168.10.237:1645 to
192.168.10.1:1812 length 201
(17) User-Name = "test_pwd_1"
(17) Framed-MTU = 1400
(17) Called-Station-Id = "0000.0000.0000"
(17) Calling-Station-Id = "0000.0000.0000"
(17) Cisco-AVPair = "ssid=TestMain"
(17) Service-Type = Login-User
(17) Message-Authenticator = XXX
(17) EAP-Message = XXX
(17) NAS-Port-Type = Wireless-802.11
(17) NAS-Port = 542
(17) NAS-Port-Id = "542"
(17) State = XXX
(17) NAS-IP-Address = 192.168.10.237
As you can see, there is the ssid the user tries to connect to that's
included as an Cisco-AVPair and I wanted to be able to match on it
Unfortunately it turns out the this attribute is apparently not copied
from the outer request to the inner one, despite
copy_request_to_tunnel being set to true.
I tried parsing it in the default authorize {} using :
if (Cisco-AVPair[*] =~ /ssid=(.*)/i) {
update request {
Called-Station-SSID := "%{1}"
}
}
Hoping that Called-Station-SSID would then be copied. However it's not
copied either.
Finally I tried adding this in the inner-tunnel authorize {}
if (&outer.request:Called-Station-SSID) {
update request {
&Called-Station-SSID :=
&outer.request:Called-Station-SSID
}
}
And this indeed seems to work and I can match on it.
However I have a couple questions :
- Why wasn't the Cisco-AVPair and/or the Called-Station-SSID
attributes copied ? Other attrs like Service-Type / Called-Station-Id
/ ... all are copied properly.
- Does it look like the right thing to do ?
Cheers,
Sylvain Munaut
More information about the Freeradius-Users
mailing list