Class Attribute Missing for Anonymous Users

Alan DeKok aland at deployingradius.com
Sat Sep 23 17:51:14 CEST 2017 

On Sep 23, 2017, at 11:07 AM, Selahattin Cilek <selahattin_cilek at hotmail.com> wrote:
>>   Does 3.0.15 send the Class attribute in the Access-Accept?  If not, that's the problem.
> No, it does not.

  Well, that's the problem then.

>>   Otherwise, look at the Access-Accept packets from the two versions.  If they're different, try to make them the same.  Maybe the NAS is getting excited over those differences.
>> 
> How do I do that?

  Make sure you have the same configuration as in v2.  *Understand* what the configuration does.  Run the server in debug mode, and READ THE OUTPUT.

  The debug output tells you what's going on, and even shows the Class attribute... repeatedly.  So you've got it half done, you just need to finish it.

> /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls
> (5)     post-auth {
> (5)       if (1) {
> (5)       if (1)  -> TRUE
> (5)       if (1)  {
> (5)         update reply {
> (5)           User-Name !* ANY
> (5)           Message-Authenticator !* ANY
> (5)           EAP-Message !* ANY
> (5)           Proxy-State !* ANY
> (5)           MS-MPPE-Encryption-Types !* ANY
> (5)           MS-MPPE-Encryption-Policy !* ANY
> (5)           MS-MPPE-Send-Key !* ANY
> (5)           MS-MPPE-Recv-Key !* ANY
> (5)         } # update reply = noop
> (5)         update {
> (5)           &outer.session-state::Class += &reply:Class[*] -> 
> 0x5f7363696c656b

   You have it updating the out session state with the Class attribute.

> (5)           &outer.session-state::Idle-Timeout += 
> &reply:Idle-Timeout[*] -> 120
> (5)           &outer.session-state::Acct-Interim-Interval += 
> &reply:Acct-Interim-Interval[*] -> 600
> (5)           &outer.session-state::Exec-Program-Wait += 
> &reply:Exec-Program-Wait[*] -> '/usr/local/bin/bash 
> /usr/local/etc/raddb/scripts/datacounter_auth.sh
> scilek'
> (5)         } # update = noop
> (5)       } # if (1)  = noop
> (5)     } # post-auth = noop
> (5)   Login OK: [scilek] (from client HOME_AP port 0 cli 
> 00-26-C6-72-D2-F8 via TLS tunnel)
> (5) } # server inner-tunnel-ttls
> (5) Virtual server sending reply
> (5)   Class = 0x5f7363696c656b
> (5)   Idle-Timeout = 120
> (5)   Acct-Interim-Interval = 600
> (5)   Exec-Program-Wait = "/usr/local/bin/bash 

  And the inner-tunnel reply contains the Class attribute.

> /usr/local/etc/raddb/scripts/datacounter_auth.sh scilek"
> (5) eap_ttls: Got tunneled Access-Accept
> (5) eap: Sending EAP Success (code 3) ID 4 length 4
> (5) eap: Freeing handler
> (5)     [eap] = ok
> (5)   } # authenticate = ok
> (5) # Executing section post-auth from file 
> /usr/local/etc/raddb/sites-enabled/default
> (5)   post-auth {
> (5)     [exec] = noop
> (5)   } # post-auth = noop
> (5) Login OK: [anonymous] (from client HOME_AP port 0 cli 00-26-C6-72-D2-F8)
> (5) Sent Access-Accept Id 7 from 192.168.0.1:1812 to 192.168.0.4:52371 
> length 0
> (5)   MS-MPPE-Recv-Key = 
> 0x4ea1660394b373c00aafe60fddb13369f19ffc3cae4ae7ee41cc7ff96f5ad6d1
> (5)   MS-MPPE-Send-Key = 
> 0xd3e5cea80a4275aaefb15531d3ebef6e171ddc828752b9d903ed33d0e149ff61
> (5)   EAP-Message = 0x03040004
> (5)   Message-Authenticator = 0x00000000000000000000000000000000
> (5)   User-Name = "anonymous"

  But you never copy the Class attribute from the inner tunnel to the outer tunnel.

  Fix that in the inner-tunnel virtual server:

post-auth {
	...
	update outer.reply {
		Class += &reply:Class
	}

  That should do it.

  Alan DeKok.

More information about the Freeradius-Users mailing list