The debug output shows you what attributes are available in the inner tunnel...
I'm looking here, but I can't see it. Thu Dec 7 12:37:39 2017 : Debug: (10) Virtual server inner-tunnel received request Thu Dec 7 12:37:39 2017 : Debug: (10) EAP-Message = 0x023000061a03 Thu Dec 7 12:37:39 2017 : Debug: (10) FreeRADIUS-Proxied-To = 127.0.0.1 Thu Dec 7 12:37:39 2017 : Debug: (10) User-Name = "bj" Thu Dec 7 12:37:39 2017 : Debug: (10) State = 0x9aa53a9f9b95204846eab62797564f73 Thu Dec 7 12:37:39 2017 : WARNING: (10) Outer and inner identities are the same. User privacy is compromised. Thu Dec 7 12:37:39 2017 : Debug: (10) server inner-tunnel { Thu Dec 7 12:37:39 2017 : Debug: (10) session-state: No cached attributes Thu Dec 7 12:37:39 2017 : Debug: (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Thu Dec 7 12:37:39 2017 : Debug: (10) authorize { Thu Dec 7 12:37:39 2017 : Debug: (10) policy filter_username { Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name) { Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name) -> TRUE Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name) { Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name =~ / /) { Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name =~ / /) -> FALSE Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name =~ /@[^@]*@/ ) { Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Thu Dec 7 12:37:39 2017 : Debug: (10) if (&User-Name =~ /\.\./ ) { Or, maybe it's here, and only two attributes exist in the tunnel? Thu Dec 7 12:37:39 2017 : Debug: (1) ldap: Waiting for search result... Thu Dec 7 12:37:39 2017 : Debug: (1) ldap: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=examplet,dc=com" Thu Dec 7 12:37:39 2017 : Debug: (1) ldap: Processing user attributes Thu Dec 7 12:37:39 2017 : Debug: (1) ldap: control:Password-With-Header += '{CRYPT}****' Thu Dec 7 12:37:39 2017 : Debug: (1) ldap: control:NT-Password := 0x**** You need to copy the attribute from the outer to the inner so that you
can use it. Either use the old (deprecated) method of setting 'copy_request_to_tunnel' in the eap configuration, or the current way of just copying the attribute you need
copy_request_to_tunnel = yes in the eap file, did not solve the problem. I had gotten that far by myself.
update request { Huntgroup-Name := &outer.Huntgroup-Name }
before calling 'files' in the inner tunnel should do it.
That worked. Thank you for taking the time to help me out! I wonder why "copy_request_to_tunnel = yes" did not work? Is Huntgroup-Name actually a part of the request, as It's not sent by the client? Regards, Tobias