问题
I am adding VSAs programmatically to Access-Accept reply in my FreeRADIUS C module (More details here).
For debugging/troubleshooting purpose, I need a way to visually inspect the VSAs on the receiving end. The issue is that my clients are using inner tunnel protocols (PEAP and TTLS) over EAP outer channel, and the traffic sniffer tools, such as WireShark, show only outer channel data.
I understand there is a way to copy the attributes to the outer channel for this purpose but was unable to find the instructions or samples on how to do this.
回答1:
I wouldn't recommend doing this programatically within your module, unless for some reason it can only over be called within the inner-tunnel server. Instead, you should place your attributes in the request or reply list of the inner tunnel request and then copy them to the outer request using unlang.
The easiest way to copy attributes from the inner to outer tunnels is using the outer.session-state list. This list persists throughout the multiple Access-Request/Access-Challenge rounds of an EAP authentication attempt.
If you want to return attributes in the final Access-Accept, place them in the outer.session-state list using the unlang update keyword from within the inner-tunnel virtual server.
In the outer virtual server in the Post-Auth section, copy the attributes from the outer request's session-state list over to the reply list. This will ensure your VSAs are only sent in the final Access-Accept/Access-Reject and not in any of the intermediary Access-Challenge packets.
The inner virtual server:
server inner {
post-auth {
<your_custom_module>
update outer.session-state {
<custom attribute> := &reply:<custom attribute>
}
}
}
The outer virtual server:
server {
post-auth {
update reply {
<custom attribute> := &session-state:<custom attribute>
}
}
}
来源:https://stackoverflow.com/questions/59146280/how-to-add-copy-vsas-vendor-specific-attributes-to-outer-channel-of-eap-reply