User-Name return glitch in FR 3.0.17?

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Tue Apr 24 10:25:23 CEST 2018


Hi Alan, 

I used the session-state filter thing in the inner-tunnel post-auth and commented out the removal of the User-Name (so it does send the User-Name back as part of the inner-tunnel reply.

I can't use the 'update reply { User-Name !* }' bit because there are cases where the reply *will* contain an actual User-Name.

I'll post you a Dropbox link with a series of tests regarding this. I'll re-run this on 3.0.16 as well just to check that the expected behavior is seen there. If so, I guess it'll be helpful to you to see what the edge case is?

With Regards

Stefan Paetow
Consultant, Trust and Identity

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
 

On 23/04/2018, 18:13, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on behalf of aland at deployingradius.com> wrote:

    On Apr 23, 2018, at 11:51 AM, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
    > 
    > So, this is an authentication on FreeRADIUS 3.0.17 that I've just upgraded to on our 'playpen' network. Previously, it would simply return the User-Name as 'root' (I know, I know...) but now it appears that the server adds the outer User-Name *first*, and then restores the session-state one (which was set by the inner-tunnel as 'root').
    
      There were situations where it *wouldn't* set the reply User-Name for EAP.  That was fixed in 3.0.17.
    
      The debug log you posted shows no User-Name in the session-state list.
    
      Hmm... if I set the inner reply with a User-Name, and then set "use_tunneled_reply = yes", then the inner User-Name is copied to the outer one as expected.
    
      If I don't set "use_tunneled_reply", then the outer User-Name is just a copy of the one from the request, as expected.
    
      If I add a User-Name to the outer session-state list, then it's in the reply, *and* the one added by the EAP module.  So that's wrong.   The solution there is to have "eap" run in the post-auth section, and only add the reply User-Name there.  But that's not going to change in a stable release.
    
      The solution to that would be to just remove any existing User-Name from the reply, before updating the session-state list:
    
    	update reply {
    		User-Name !*
    	}
    	update {
    		&reply += &session-state:
    	}
    
      I think that will work.  But what are you expecting it to do, and when?
    
      Alan DeKok.
    
    
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list