By doing this
update outer.state { User-Name := &request:User-Name }
in post-auth at sites-available/inner-tunnel, results in this error: } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading pre-proxy {...} # Loading post-proxy {...} # Loading post-auth {...} /etc/freeradius/3.0/sites-enabled/inner-tunnel[374]: Default list "state" specified in mapping section is invalid /etc/freeradius/3.0/sites-enabled/inner-tunnel[286]: Errors parsing post-auth section. Does it have to be like this?
update outer.session-state { User-Name := &request:User-Name }
I am starting to think radical: Enabling filter_inner_identity to block those requests that has different usernames # # There's no outer realm. The outer NAI is different from the # inner NAI. The User-Name MUST be anonymized. # # Otherwise, you could log in as outer "bob", and inner "doug", # and we'd have no idea which one was correct. # elsif (&outer.request:User-Name !~ /^anon/) { update request { Module-Failure-Message = "User-Name is not anonymized" } reject } -----Mensagem original----- De: Freeradius-Users <freeradius-users-bounces+daniel.pena=mpdft.mp.br@lists.freeradius.org> Em nome de Daniel Guimaraes Pena Enviada em: quarta-feira, 24 de junho de 2020 11:09 Para: 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Assunto: RES: How does CUI works? How does anonymous works? Im lost
What does that mean? "I tried stuff and it didn't work".
I searched here: http://freeradius.1045715.n5.nabble.com/ (read a lot of things, but thought that all of them wouldnt work for me) so, as you can see, I tried only one of them and did not work... (I know why now, thanks to your explain)
You should probably instead do:
update outer.state { User-Name := &request:User-Name }
Which means "track the user name across multiple packets". When you do "update outer.reply", it just updates *this* reply. Not the final Access-Accept, which may be many packets later.
I'll do that
Is that the *outer* post-auth section?
Yes, it is... logs with number 225 are from virtual server default: (225) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
You should read sites-enabled/default, and look for "TTLS and PEAP" in the post-auth section. The comments there are for exactly this situation.
If you don't have those comments, upgrade to the most recent version of the server. Or, look on GitHub for the default configuration.
I read this... I imagine that this has to do with your suggestion of outer.state, right?
Don't bother with CUI.
you dont know how happy I got reading this =) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html