From: Alan T. DeKok <aland@freeradius.org>
Date: Sat, 19 Nov 2016 00:32:10 +0000 (-0500)
Subject: fix inner-tunnel policy
X-Git-Tag: release_3_0_13~105
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bbbde850ece5c8b2468c55aba0fa7b3d16d54269;p=thirdparty%2Ffreeradius-server.git

fix inner-tunnel policy

This policy replaces "use_tunneled_reply".  It's better to use
if (0) { ...} to disable blocks of code, instead of commenting it out.

Also, update the local reply before copying it to the outer
session-state list.  That makes a lot more sense.
---

diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel
index 2c6f9611bfc..d2876115315 100644
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -324,30 +324,34 @@ post-auth {
 #	moonshot_coi_tid
 
 	#
-	#  Instead of "use_tunneled_reply", uncomment the
-	#  next two "update" blocks.
+	#  Instead of "use_tunneled_reply", change this "if (0)" to an
+	#  "if (1)".
 	#
-#	update {
-#		&outer.session-state: += &reply:
-#	}
+	if (0) {
+		#
+		#  These attributes are for the inner-tunnel only,
+		#  and MUST NOT be copied to the outer reply.
+		#
+		update reply {
+			User-Name !* ANY
+			Message-Authenticator !* ANY
+			EAP-Message !* ANY
+			Proxy-State !* ANY
+			MS-MPPE-Encryption-Types !* ANY
+			MS-MPPE-Send-Key !* ANY
+			MS-MPPE-Recv-Key !* ANY
+		}
 
-	#
-	#  These attributes are for the inner session only.
-	#  They MUST NOT be sent in the outer reply.
-	#
-	#  If you uncomment the previous block and leave
-	#  this one commented out, WiFi WILL NOT WORK,
-	#  because the client will get two MS-MPPE-keys
-	#
-#	update outer.session-state {
-#		MS-MPPE-Encryption-Policy !* ANY
-#		MS-MPPE-Encryption-Types !* ANY
-#		MS-MPPE-Send-Key !* ANY
-#		MS-MPPE-Recv-Key !* ANY
-#		Message-Authenticator !* ANY
-#		EAP-Message !* ANY
-#		Proxy-State !* ANY
-#	}
+		#
+		#  Copy the inner reply attributes to the outer
+		#  session-state list.  The post-auth policy will take
+		#  care of copying the outer session-state list to the
+		#  outer reply.
+		#
+		update {
+			&outer.session-state: += &reply:
+		}
+	}
 
 	#
 	#  Access-Reject packets are sent through the REJECT sub-section of the