Attr-26.135.22.100?

Fri Jul 21 18:23:55 CEST 2017

>  What is the raw data from that attribute?  Perhaps it actually is malformed...
> 
>  EAP-Channel-Binding is a Ukerna attribute, of number 135.  So if it *is* malformed, it should come across as:
> 
> 	Attr-26.25622.135 = 0x....

That's what I thought... But it isn't malformed. Something else goes wrong in FR.

The two outputs are here:

https://www.dropbox.com/sh/tonkqtbxloyzb8d/AAAUWbTS1xzvsnPWY9gk6KR2a?dl=0

Specifically, the following changes were made in the config:

In 3.0.10's inner-tunnel, the copy-to-outer.session-state unlang was enabled, and in abfab-tr-idp, the same bits were enabled to get the contents of the outer session-state, and in 3.0.14, the configuration was updated to make the same available.

Specifically, look at lines 2385-2390 in the 3.0.10-Default.txt and lines 2395-2399 in the 3.0.14-Updated.txt. That's where the inner-tunnel ends.

3.0.10:

(15)       update {
(15)         &outer.session-state::EAP-Channel-Binding-Message += &reply:EAP-Channel-Binding-Message[*] -> 0x02001101a406686f7374a50b6c6f63616c686f7374
(15)         &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x03010004
(15)         &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(15)         &outer.session-state::Stripped-User-Name += &reply:Stripped-User-Name[*] -> 'steve'
(15)       } # update = noop
(15)     } # post-auth = noop
(15) } # server inner-tunnel

3.0.14:

(15)         update {
(15)           &outer.session-state::Attr-26.135.22.100 += &reply:Attr-26.135.22.100[*] -> 0x02001101a406686f7374a50b6c6f63616c686f7374
(15)           &outer.session-state::Stripped-User-Name += &reply:Stripped-User-Name[*] -> 'steve'
(15)         } # update = noop
(15)       } # if (1)  = noop
(15)     } # post-auth = noop
(15) } # server inner-tunnel

The value of EAP-Channel-Binding-Message and 'Attr-26.135.22.100' are identical. In 3.0.14, the session-state copy unlang strips out EAP-Message and Message-Authenticator (which is correct, because the unlang in inner-tunnel explicitly strips it).

So. What's happened to 'EAP-Channel-Binding-Message' and why is it either mangled or being misinterpreted by radiusd as attribute 26.135.22.100?

:-)

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170721/592cb645/attachment.sig>