WPA-EAP configuration with LDAP backend calls ldap module twice

Mark van Reijn mvreijn at idfocus.nl
Wed Mar 20 17:54:27 CET 2019

Thank you for your response. 

> On 20 Mar 2019, at 16:05, Alan DeKok <aland at deployingradius.com> wrote:
>> FreeRADIUS Version 3.0.15
>  You probably want to upgrade...

We do want to upgrade but are currently limited to the version supplied by the OS-vendor.

>> (7) ldap: Performing search in "cn=default,ou=profiles,ou=radius,o=config" with filter "(objectclass=nivoRadiusProfile)", scope "base"
>> (7) ldap: Waiting for search result...
>> (7) ldap: Processing profile attributes
>> (7) ldap: Tunnel-Medium-Type := IEEE-802
>> (7) ldap: Tunnel-Private-Group-Id := 100
>> (7) ldap: Tunnel-Type := VLAN
>> (7) ldap: Processing user attributes
>  These are attributes which should go into the *final* Access-Accept, and not in any intermediate challenge packet.

I will have to take a closer look at the reply, it is only necessary in the final packet as you mention. Thanks for spotting this. 

>> (9) Sent Access-Accept Id 9 from to length 0
>> (9)   MS-MPPE-Recv-Key = 0x23263892d14c397f30d373067ad29f8c673a19bd0fa42a3e3b74f89cf3fa1f58
>> (9)   MS-MPPE-Send-Key = 0x199553d51fbc32a32a4fcd3edec9f0f0a59836cca6798cd552a9baae611e7899
>> (9)   EAP-Message = 0x03090004
>> (9)   Message-Authenticator = 0x00000000000000000000000000000000
>  And the final Access-Accept doesn't contain any VLAN information.  Is this what you want?
>  For simplicity, you might set "use_tunneled_reply", which gets you the VLAN information in the final Access-Accept.

My apologies, I have that set to 'yes' in the eap configuration on our production server. This was somehow turned off on the test server where this log was generated, I now have enabled it again.

>  The short fix is something like this, in the inner tunnel:
> 	if (!session-state:Tunnel-Type ) {
> 		ldap
> 		update session-state {
> 			Tunnel-Type := &reply:Tunnel-Type
> 		}
> 	}
>  That will make it run "ldap" only once.

I have added this in the inner server configuration (I might have done a similar thing before) 
It's probably me, but it does not work unfortunately. 
In the debug log it clearly states:

(8) server eduroam-inner {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(8)     authorize {

so somehow the session-state is not persisted in the inner server (it is persisted in the outer server, where I cache attributes in the TLS session cache).

What am I doing wrong?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3949 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190320/dec46e68/attachment.bin>

More information about the Freeradius-Users mailing list