PEAP request with EAP-MSCHAPv2 as Phase 2, how to store attribute data.

work vlpl thework.vlpl at gmail.com
Thu Nov 9 19:41:24 CET 2017 

Hello,

I use configuration what can handle PEAP +  EAP-MSCHAPv2 as Phase 2
and proxy inner tunnel request to another home server.
I need log request with real username (inner identity) and other
custom attribute available in inner tunnel phase. For other requests
like EAP-TTLS/PAP it is trivial, in authorize section I save
attributes of interest to me in control list, because proxy response
override reply list. Proxy response set back to inner tunnel and In
post-auth section I expand stored attributes and linelog directive do
work.

Then request type is PEAP +  EAP-MSCHAPv2 as Phase 2, proxy save
response to "some temporary storage" (Saving tunneled attributes for
later)

(101) eap: Doing post-proxy callback
(101) eap: Passing reply from proxy back into the tunnel
(101) eap: Got tunneled reply RADIUS code 2
(101) eap:   EAP-Message = 0x03080004
(101) eap:   Message-Authenticator = 0x21a9b5e96fc954c7cb0713477905fe5b
(101) eap:   User-Name = "testing_remote"
(101) eap:   Proxy-State = 0x38
(101) eap: Tunneled authentication was successful
(101) eap: SUCCESS
(101) eap: Saving tunneled attributes for later
(101) eap: Reply was handled

And after that supplicant sent final request. Freeradius clear the
control list (checked it with debug_all directive, I am not asking
freeradius to do it, it happens automaticly), so I lost my attributes
saved in control list.
Freeradius continue eap session and restore User-Name to reply list
from temporary storage,

(102) eap_peap: [eaptls process] = ok
(102) eap_peap: Session established.  Decoding tunneled attributes
(102) eap_peap: PEAP state send tlv success
(102) eap_peap: Received EAP-TLV response
(102) eap_peap: Success
(102) eap_peap: Using saved attributes from the original Access-Accept
(102) eap_peap:   User-Name = "testing_remote"
(102) eap_peap:     caching User-Name = "testing_remote"
(102) eap_peap: Failed to find 'persist_dir' in TLS configuration.
Session will not be cached on disk.
(102) eap: Sending EAP Success (code 3) ID 9 length 4
(102) eap: Freeing handler
tls: Freeing cached session VPs

So in post-auth section I have real username, but los my custom
attributes stored in control list.

(102) EXPAND %{reply:User-Name}
(102)              --> testing_remote
(102)           EXPAND %{control:User-Name}
(102)              -->
(102)           EXPAND %{User-Name}
(102)              --> anonymous

If is it possible, how I can store my custom attributes to "some
temporary storage" to have access to them in the very last stage.

More information about the Freeradius-Users mailing list