How to Remove Framed-MTU from Access-Accept in PEAP Authentication
早川 拓人
Takuto.Hayakawa at soliton.co.jp
Thu May 1 22:24:35 UTC 2025
Hi!
I noticed that when performing PEAP authentication using FreeRADIUS, an unintended "Framed-MTU" attribute is included in the Access-Accept. Could you please advise on how to remove this "Framed-MTU" from the Access-Accept?
After some investigation, I found that adding the following code at the beginning of the post-auth section allows for its removal:
==========================================================================
sites-enabled/default.in<http://default.in/>
-----
post-auth {
+ if ( &session-state:Framed-MTU ) {
+ update session-state {
+ &Framed-MTU !* ANY
+ }
+ }
==========================================================================
Is this method correct? Additionally, is there a simpler and safer way to remove the "Framed-MTU"?
Thank you for your assistance.
Please find the debug log below for your reference.
Due to email size constraints, I have included an excerpt in the email. For the full log, please refer to the attached FreeRadiusv3_2_7_PEAP_Accept.log.
==========================================================================
FreeRADIUS Version 3.2.7
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/totp
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including configuration file /usr/local/etc/raddb/policy.d/accounting
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(10) Received Access-Request Id 10 from 10.27.51.116:57794 to 10.27.253.187:1812 length 181
(10) User-Name = "testuser"
(10) NAS-IP-Address = 127.0.0.1
(10) Calling-Station-Id = "02-00-00-00-00-01"
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Connect-Info = "CONNECT 11Mbps 802.11b"
(10) EAP-Message = 0x02db002e1900170303002310158c7451c89b82dd9648b451912651938c789a7c0457355d16f4c534c4ececc8d968
(10) State = 0xb7ba80b5be61993f874d82a0836e8f2a
(10) Message-Authenticator = 0x6fdfa7aec2e249db346658bdd5d27b5b
(10) Restoring &session-state
(10) &session-state:Framed-MTU = 994
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "testuser", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 219 length 46
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Removing EAP session with state 0xb7ba80b5be61993f
(10) eap: Previous EAP request found for state 0xb7ba80b5be61993f, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: (TLS) EAP Done initial handshake
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 219 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(10) post-auth {
(10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(10) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(10) update {
(10) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHello'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Certificate'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, Finished'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 ChangeCipherSpec'
(10) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Finished'
(10) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(10) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(10) } # update = noop
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(10) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(10) } # post-auth = noop
(10) Sent Access-Accept Id 10 from 10.27.253.187:1812 to 10.27.51.116:57794 length 176
(10) MS-MPPE-Recv-Key = 0x608f9a06f91c5f0e78718d27476ba06fd7f1bcf07327ba08e25eff6a611ac05b
(10) MS-MPPE-Send-Key = 0xb34c7fbf7ee95be27291e9949dd47b3cbd9bb9e933ebe2a518adc990d5bf854c
(10) EAP-Message = 0x03db0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "testuser"
(10) Framed-MTU += 994
(10) Finished request
Waking up in 4.9 seconds.
EXIT(2) CALLED src/main/radiusd.c[792]
==========================================================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FreeRadiusv3_2_7_PEAP_Accept.log
Type: application/octet-stream
Size: 94970 bytes
Desc: FreeRadiusv3_2_7_PEAP_Accept.log
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20250501/d3274980/attachment-0001.obj>
More information about the Freeradius-Users
mailing list