Access to the attributes lists in different sections

Alan DeKok aland at
Fri Apr 27 15:20:01 CEST 2018

On Apr 27, 2018, at 5:54 AM, work vlpl <thework.vlpl at> wrote:
> My question is - Is there other way or attribute list, to store some data
> during full radius authentication session (until freeradius send
> Access-Reject reply), to be get able access to stored data from all
> sections (authorize, post-auth, Post-Auth-Type REJECT, pre-proxy,
> post-proxy etc.)?

  Use a database.

  The session-state list is automatically managed by the server for an authentication session.  It's used to store data about that session.

  Without session-state, each packet is processed independently of all other packets.

> Or maybe there is a way to configure freeradius to not
> clear session-state list after Access-Reject reply from home server?

  The code *should* clear session-state only after running the post-auth section.

  I think what's happening is that it's using the outer State attribute inside of the inner tunnel.  So when the inner tunnel returns Access-Reject, the session-state is cleared.  Which just happens to be the same state as for the outer session.

  I think the solution is to just not delete the session state when inside the inner-tunnel.  It will be deleted in the outer tunnel anyways, so that should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list