Windows10 PEAP: "Could not find Pool-Name attribute"

Volodymyr Litovka doka.ua at gmx.com
Wed Sep 18 00:17:07 CEST 2019 

Hi Alan,

thanks for pointing, it seems I got it working. Could you, please, check whether I did it in a right way?

1) modified sites-enabled/inner-tunnel, added in ‘post-auth’:

	# ---
        if(&control:Pool-Name) {
                update outer.session-state {
                        Pool-Name := &control:Pool-Name
                }
        }
	# ---

2) modified sites-enabled/default, added in ‘post-auth’, immediately before main_pool:

	# ---
        if (&session-state:Pool-Name) {
                update control {
                        Pool-Name := &session-state:Pool-Name
                }
        }
	# ---
	main_pool


Thanks again!


-- 
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison

> On 17 Sep 2019, at 17:16, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Sep 16, 2019, at 9:07 AM, Volodymyr Litovka <doka.ua at gmx.com> wrote:
>> 
>> I’m facing a problem connecting Windows 10 client to Strongswan (IKEv2) with Freeradius as AAA backend.
>> 
>> Configuration of Freeradius is almost untouched and it works like a charm for OSX->Strongswan clients:
>> 
>> - added ippool to mods-enabled (main_pool)
>> - enabled main_pool in ‘default’ site in ‘post-auth’ and ‘accounting’ sections
>> 
>> Unlike OSX, Windows10 falls into PEAP conversation, thus I modified sites-enabled/inner-tunnel - added main_pool into ‘post-auth’ section as well.
> 
>  Note that this does sets it *only* for the inner-tunnel request.  Not the outer one.
> 
>> Output from ‘freeradius -X' is available at the following link: https://pastebin.com/FKFep8Za where you can see that until and during step (8) Freeradius successfully authenticates user, assigns Framed-IP-Address from the pool and returns it (line 926) for further processing, but during step (9) it tries to do the same (line 1034) and fails. It either don’t see Framed-IP-Address attribute or losing information about main_pool during passes over inner-tunnel?
> 
>  Each packet is handled as a separate thing.  If you want attributes saved across multiple packets, then place them into the session-state list.  See the "inner-tunnel" examples for more information.
> 
>> User definition is quite simple:
>> 
>> aeris   Cleartext-Password := "q1w2e3", Pool-Name := main_pool
>>       Service-Type = Framed-User
>> 
>> Removing main_pool from sites-enabled/inner-tunnel (in order to leave this to sites/default) changed nothing - same message "Could not find Pool-Name attribute” appears in log. I tried to play with some configurations parameters in mods-enabled/eap (copy_request_to_tunnel, use_tunneled_reply), sites-enabled/inner-tunnel (if(0)/if(1)) but since I don’t clearly understand for what they’re responsible, I've got no success.
>> 
>> Can anybody point me to the cause of the problem?
> 
>  You need to copy the main_pool settings from the inner-tunnel to the *outer* session-state list.  Then, apply it in the *outer* post-auth section.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list