Unexpected Disconnect Message to NAS

Vladimir Cvetic vcvetic.vc at gmail.com
Wed Feb 20 21:32:12 CET 2019 

and added

Session_Timeout !* ANY

but didn't receive the attribute either.

On Wed, Feb 20, 2019 at 9:30 PM Vladimir Cvetic <vcvetic.vc at gmail.com>
wrote:

> debug log says:
>
> Wed Feb 20 20:59:32 2019 : Debug:    peap {
> Wed Feb 20 20:59:32 2019 : Debug:       tls = "tls-common"
> Wed Feb 20 20:59:32 2019 : Debug:       default_eap_type = "mschapv2"
> Wed Feb 20 20:59:32 2019 : Debug:       copy_request_to_tunnel = no
> *Wed Feb 20 20:59:32 2019 : Debug:       use_tunneled_reply = no*
> Wed Feb 20 20:59:32 2019 : Debug:       proxy_tunneled_request_as_eap = yes
> Wed Feb 20 20:59:32 2019 : Debug:       virtual_server = "inner-tunnel"
> Wed Feb 20 20:59:32 2019 : Debug:       soh = no
> Wed Feb 20 20:59:32 2019 : Debug:       require_client_cert = no
>
> and the EAP config says:
>
>  #
> PEAP
>              #  As of version 3.0.5, this configuration item
>                 #  is deprecated.  Instead, you should use
>                 #
>                 #       update outer.session-state {
>                 #               ...
>                 #
>                 #       }
>                 #
>                 #  This will cache attributes for the final Access-Accept.
>                 #
>                 use_tunneled_reply = no
>
> That's seems to be the reason why it doesn't work
>
> According to the inner-tunnel I uncommented
> #
>         #  Instead of "use_tunneled_reply", uncomment the
>         #  next two "update" blocks.
>         #
>         update {
>                &outer.session-state: += &reply:
>         }
>
>         update outer.session-state {
>                MS-MPPE-Encryption-Policy !* ANY
>                MS-MPPE-Encryption-Types !* ANY
>                MS-MPPE-Send-Key !* ANY
>                MS-MPPE-Recv-Key !* ANY
>                Message-Authenticator !* ANY
>                EAP-Message !* ANY
>                Proxy-State !* ANY
>
>         }
>
>
>
> On Wed, Feb 20, 2019 at 8:25 PM Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Feb 20, 2019, at 2:13 PM, Vladimir Cvetic <vcvetic.vc at gmail.com>
>> wrote:
>> >
>> > I can see in the debug log that the Session-Timeout attribute is set
>> within
>> > the inner tunnel but it doesn't make its way out to in the access-accept
>> > response. the session is not terminated by the NAS.
>> >
>> > Even with the parameter "use_tunneled_reply=yes" it doesn't work with
>> PEAP.
>> >
>> > Even if it's working for EAP-TLS I'd like to know what I'm doing wrong
>> but
>> > I simply don't see it. Any hint you can share would be appreciated.
>>
>>   There *is* a debug log you can read.
>>
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list