Outer vs. inner ID in Login OK messages
Alan DeKok
aland at deployingradius.com
Fri Jan 25 17:50:08 CET 2019
On Jan 25, 2019, at 11:12 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> I think I've tracked it down to some point.
> I double-checked with eapol_test as opposed to real supplicant+Cisco WLAN controller
> (never trust their gear blindly ...), but got the identical result.
OK.
> But copying the inner User-Name to &outer.request causes the inner User-Name to
> appear in both "Login OK" messages of a EAP-TTLS/PAP authentication.
Well, yes. Editing the User-Name causes the User-Name to be edited.
> If I comment out the statement like this
> -------------- sites-available/inner-tunnel ---------------
> post-auth {
> ...
> update {
> &outer.session-state: += &reply:
> #### &outer.request:User-Name := &User-Name
> }
> -----------------------------------------------------------
> I get the normal behavior.
Which is why that isn't in the default config. It's wrong.
> It also makes some sense from a superficial point of view,
> as we do overwrite the outer User-Name. E.g. you would just need to get order of
> execution wrong to produce my kind of problem (overwite, log, send Access-Accept vs.
> log, overwite, send Access-Accept) -- or something else with that effect.
It's best to *not* edit the User-Name. But it's up to you. You can reorder your config to avoid the problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list