Access to the attributes lists in different sections

work vlpl thework.vlpl at gmail.com
Fri Apr 27 11:54:53 CEST 2018 

Hello,

I use rlm_python module to query information about supplicant from backend
database and based on retrieved data decide what to do next with request.
Also some of data retrieved from database go to a log.
Some of requests are eap, and use inner tunnel virtual site. To prevent
double log records (one from inner tunnel and one from "outer" virtual
site) I do log operation (linelog module) only in "outer" virtual site. And
pass necessary data from inner tunnel by using

update outer.session-state {
   ...
}

I not use reply list, to store necessary data, because python module can
set Proxy-To-Realm attribute and redirect some of request to home server
(do proxy operation), and after received reply from proxy, freeradius
server replace original reply with reply from home server.

outer.session-state works for the most of cases, but not work for  eap-ttls
request, that will be proxied and rejected by home server. For example this
is network config for eapol_test util

network={
          key_mgmt=WPA-EAP
          eap=TTLS
          identity="testing_remote"
          anonymous_identity="anonymous"
          phase2="autheap=MSCHAPV2"
          ...
}
Freeradius server configured to proxy only inner stage, after real identity
is revealed.

After the home server rejects the request, freeradius server clear
session-state list in "outer" virtual site, and I can not access in in
Post-Auth-Type REJECT section. To mitigate this I copy necessary data from
session-state to control list in post-proxy section

update control {
    Some-Attribute := &session-state:Some-Attribute
}

And control attributes list is available in Post-Auth-Type REJECT section.

And this is basically works.

My question is - Is there other way or attribute list, to store some data
during full radius authentication session (until freeradius send
Access-Reject reply), to be get able access to stored data from all
sections (authorize, post-auth, Post-Auth-Type REJECT, pre-proxy,
post-proxy etc.)? Or maybe there is a way to configure freeradius to not
clear session-state list after Access-Reject reply from home server?

--
Vladimir

More information about the Freeradius-Users mailing list