RES: How does CUI works? How does anonymous works? Im lost

Daniel Guimaraes Pena daniel.pena at
Wed Jun 24 16:41:14 CEST 2020

By doing this
>	update outer.state {
>		User-Name := &request:User-Name 
>	}

in post-auth at sites-available/inner-tunnel, results in this error:

} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading pre-proxy {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
/etc/freeradius/3.0/sites-enabled/inner-tunnel[374]: Default list "state" specified in mapping section is invalid
/etc/freeradius/3.0/sites-enabled/inner-tunnel[286]: Errors parsing post-auth section.

Does it have to be like this?
>	update outer.session-state {
>		User-Name := &request:User-Name 
>	}

I am starting to think radical: Enabling filter_inner_identity to block those requests that has different usernames

                #  There's no outer realm.  The outer NAI is different from the
                #  inner NAI.  The User-Name MUST be anonymized.
                #  Otherwise, you could log in as outer "bob", and inner "doug",
                #  and we'd have no idea which one was correct.
                elsif (&outer.request:User-Name !~ /^anon/) {
                        update request {
                                Module-Failure-Message = "User-Name is not anonymized"

-----Mensagem original-----
De: Freeradius-Users < at> Em nome de Daniel Guimaraes Pena
Enviada em: quarta-feira, 24 de junho de 2020 11:09
Para: 'FreeRadius users mailing list' <freeradius-users at>
Assunto: RES: How does CUI works? How does anonymous works? Im lost

>  What does that mean?  "I tried stuff and it didn't work".

I searched here: (read a lot of things, but thought that all of them wouldnt work for me) so, as you can see, I tried only one of them and did not work... (I know why now, thanks to your explain)

>   You should probably instead do:
>	update outer.state {
>		User-Name := &request:User-Name 
>	}
> Which means "track the user name across multiple packets".  When you do "update outer.reply", it just updates *this* reply.  Not the final Access-Accept, which may be many packets later.

I'll do that

>  Is that the *outer* post-auth section?

Yes, it is... logs with number 225 are from virtual server default:
(225) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default

>  You should read sites-enabled/default, and look for "TTLS and PEAP" in the post-auth section.  The comments there are for exactly this situation.
>  If you don't have those comments, upgrade to the most recent version of the server.  Or, look on GitHub for the default configuration.

I read this... I imagine that this has to do with your suggestion of outer.state, right?

>  Don't bother with CUI.

you dont know how happy I got reading this =) 

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list