[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Outer vs. inner ID in Login OK messages
From: Alan DeKok <aland () deployingradius ! com>
Date: 2019-01-25 16:50:08
Message-ID: 340DB115-5D43-4652-9570-56C031FDF85F () deployingradius ! com
[Download RAW message or body]
On Jan 25, 2019, at 11:12 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
> I think I've tracked it down to some point.
> I double-checked with eapol_test as opposed to real supplicant+Cisco WLAN \
> controller (never trust their gear blindly ...), but got the identical result.
OK.
> But copying the inner User-Name to &outer.request causes the inner User-Name to
> appear in both "Login OK" messages of a EAP-TTLS/PAP authentication.
Well, yes. Editing the User-Name causes the User-Name to be edited.
> If I comment out the statement like this
> -------------- sites-available/inner-tunnel ---------------
> post-auth {
> ...
> update {
> &outer.session-state: += &reply:
> #### &outer.request:User-Name := &User-Name
> }
> -----------------------------------------------------------
> I get the normal behavior.
Which is why that isn't in the default config. It's wrong.
> It also makes some sense from a superficial point of view,
> as we do overwrite the outer User-Name. E.g. you would just need to get order of
> execution wrong to produce my kind of problem (overwite, log, send Access-Accept \
> vs. log, overwite, send Access-Accept) -- or something else with that effect.
It's best to *not* edit the User-Name. But it's up to you. You can reorder your \
config to avoid the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic