EAP Fast Reauth fails
Alan DeKok
aland at deployingradius.com
Tue May 28 12:22:49 UTC 2024
On May 27, 2024, at 2:15 AM, deepika parmar <parmardeepika9 at gmail.com> wrote:
> I have configured *EAP-AKA virtual-server in FreeRADIUS to
> perform authentication. I have enabled eap cache so that fast reauth will
> work and
> session data will be stored in cache. However during store session i could
> not restore Counter and hence reauth fails.
This is for v4, which is still not quite done. If it works, great. If not, please submit patches.
> Logs are:
> Debug : (0.0) h9-auth-server - store session {
> Debug : (0.0) h9-auth-server - | debug_attr
What's wrong with "radiusd -X" as recommended by all
> Store session setting in virtual server:
>
> store session {
> "%(debug_attr:&session-state)"
You should use a more recent version of v4. The function syntax has changed to make more sense, and we've fixed a number of other issues,
Or at least update the configuration to use the new syntax. At some point the old syntax will cause errors.
> If i add accessing Counter, it fails as follows:
> &session-state.Counter := &session-state.Counter
>
> Debug : Compiling policies in - store session {...}
> Error : /usr/local/etc/raddb/mods-enabled/eap-cache[22]: Failed parsing
> attribute reference &session-state.Counter - Unresolved attributes are not
> allowed here
When the module is bootstrapped, it doesn't know that it's supposed to be used in EAP-AKA. So it can't find the "Counter" attribute. This is an issue we're fixing.
An alternative is to edit the EAP-AKA virtual server to copy the necessary attributes to a group:
&session-state.Tmp-Group-0 := {
&Counter = &Counter
...
}
eap_cache
...
Then update the "eap_cache" module to save the Tmp-Group-0 attribute.
And also copy the Counter attributes (etc.) back to their correct place after the eap_cache module restores the cached Tmp-Group-0
Alan DeKok.
More information about the Freeradius-Users
mailing list