[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Outer vs. inner ID in Login OK messages
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2019-01-25 16:50:08
Message-ID: 340DB115-5D43-4652-9570-56C031FDF85F () deployingradius ! com
[Download RAW message or body]


On Jan 25, 2019, at 11:12 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
> I think I've tracked it down to some point.
> I double-checked with eapol_test as opposed to real supplicant+Cisco WLAN \
> controller (never trust their gear blindly ...), but got the identical result.

  OK.

> But copying the inner User-Name to &outer.request causes the inner User-Name to
> appear in both "Login OK" messages of a EAP-TTLS/PAP authentication.

  Well, yes.  Editing the User-Name causes the User-Name to be edited.

> If I comment out the statement like this
> -------------- sites-available/inner-tunnel ---------------
> post-auth {
> ...
> update {
> &outer.session-state: += &reply:
> ####             &outer.request:User-Name := &User-Name
> }
> -----------------------------------------------------------
> I get the normal behavior.

  Which is why that isn't in the default config.  It's wrong.

> It also makes some sense from a superficial point of view,
> as we do overwrite the outer User-Name. E.g. you would just need to get order of
> execution wrong to produce my kind of problem (overwite, log, send Access-Accept \
> vs. log, overwite, send Access-Accept) -- or something else with that effect.

  It's best to *not* edit the User-Name.  But it's up to you.  You can reorder your \
config to avoid the problem.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]