Not able to receive inner identity in Access-Accept (Problem revisited)

Iliya Peregoudov iperegudov at cboss.ru
Thu Jan 15 14:53:09 CET 2015 

Hello Lai Fu Keung

The recipe is simple:

1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section

2. Make inner Access-Accept contain User-Name. For example

# sites-available/inner-tunnel
postauth {
    update reply {
       User-Name := "%{request:User-Name}"
    }
}

rlm_eap_peap saves inner reply attributes when use_tunneled_reply=yes. 
rlm_eap_peap clears reply list and copy over saved reply attributes when 
it constructs outer Access-Accept. So User-Name added to inner reply 
will be copied into outer reply.



On 15.01.2015 11:42, Enrique Sainz Baixauli wrote:
> Hi,
>
> On Thu, Jan 15, 2015, at 5:49, Lai Fu Keung <tfklai at hku.hk> wrote:
>> Hi,
>>
>> I am trying in configure my FR v3.0.4 to pass inner identity to outer in
> eap-peap setup. I read some of the old mails with similar issues, like the
> following:
>>
>>
> http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.ht
> ml
>>
>> I made the following setting as suggested in the mail:
>>
>> 1. Update outer reply in file inner-tunnel, post auth:
>>   update outer.reply {
>>            User-Name = "%{request:User-Name}"
>>          }
>> 2. Set "use_tunneled_reply=yes" in file eap
>
> IIRC, when you set use_tunneled_reply to yes, all updates to outer.reply are
> ignored and the outer reply is filled with attributes from the original
> Access-Request. That's why you get User-Name filled with the outer anonymous
> identity. Try setting that to no and filling the outer reply with any other
> attributes you need in that update outer.reply block.
>
>>
>> With the above setting, I still couldn't get it working. I compared my
> debug with that of above article. I see the difference at this line:
>>
>> eap_peap : Using saved attributes from the original Access-Accept
>>          Stripped-User-Name = 'bob'
>>
>> The above article uses "User-Name". Is this the difference?
>>
>> I use "Stripped-User-Name" for actual authentication against ldap, but
> want "User-Name" (with domain) for logging and accounting. I am not sure
> when they are used in different phases.
>> At near the end of the debug, I even see:
>>
>> Stripped-User-Name = 'bigman'
>>
>> which is obviously wrong, as 'bigman' is the name I made up for "Anonymous
> Identity".
>>
>> Can anyone give me a clue what I have done wrong? Thanks in advance. Debug
> log follows.
>>
>> Fu-Keung
>
> Enrique Sainz Baixauli
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list