The server has historically had problems dealing with authentication
conversations that cross multiple packets. The existing
"use_tunnel_reply" feature in TTLS and PEAP help, but aren't perfect.
The behavior is not clear, and it's easy to get the configuration wrong.

Version 3.0.5 fixes this problem. You can now do:

authorize {
...

update session-state {
attributes ...
}

}


These attributes are automatically cached when the server sends an
Access-Challenge. They are automatically retrieved when the server
receives an Access-Request. They are automatically deleted when the
server sends an Access-Accept or Access-Reject.

This means that the "inner-tunnel" server can now do:

update outer.session-state {
...
}

And the final Access-Accept can be updated by the following code:

post-auth {
...
update {
reply += session-state
}
}


This feature should hopefully be simpler (and better) than the
previous configurations.

The code is available now in the v3.0.x branch in git. Please try it
before 3.0.5 is released!

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html