debug output is usually so long... The inner-tunnel contains these three lines at the beginning of the authorize section: update request { Called-Station-SSID := &outer.Called-Station-SSID } This is debug output of one request until before the inner eap. I suppose it contains everything to show that the copy doesn't work... Thanks, Gerald Received Access-Request Id 10 from 10.25.10.6:60617 to 10.25.10.7:1812 length 306 User-Name = 'anonymous@example.com' Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' Called-Station-Id = '11-22-33-44-55-66:MYSSID' NAS-IP-Address = 10.25.1.111 EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375 State = 0xacb99350a5b38a32e0f8f7523b6eb4d6 Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627 (10) Received Access-Request packet from host 10.25.10.6 port 60617, id=10, length=306 (10) User-Name = 'anonymous@example.com' (10) Calling-Station-Id = '02-00-00-00-00-01' (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Connect-Info = 'CONNECT 11Mbps 802.11b' (10) Called-Station-Id = '11-22-33-44-55-66:MYSSID' (10) NAS-IP-Address = 10.25.1.111 (10) EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375 (10) State = 0xacb99350a5b38a32e0f8f7523b6eb4d6 (10) Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627 (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (!&User-Name) (10) if (!&User-Name) -> FALSE (10) if (&User-Name =~ / /) (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\\.\\./ ) (10) if (&User-Name =~ /\\.\\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\\.$/) (10) if (&User-Name =~ /\\.$/) -> FALSE (10) if (&User-Name =~ /@\\./) (10) if (&User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (10) auth_log : --> /var/log/radius/radacct/10.25.10.6/auth-detail-20150428 (10) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-detail-20150428 (10) auth_log : EXPAND %t (10) auth_log : --> Tue Apr 28 10:55:40 2015 (10) [auth_log] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : Looking up realm "example.com" for User-Name = "anonymous@example.com" (10) suffix : Found realm "example.com" (10) suffix : Adding Stripped-User-Name = "anonymous" (10) suffix : Adding Realm = "example.com" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) rewrite_called_station_id rewrite_called_station_id { (10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) (10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE (10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { (10) update request { (10) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 11-22-33-44-55-66 (10) Called-Station-Id := "11-22-33-44-55-66" (10) } # update request = noop (10) if ("%{8}") (10) EXPAND %{8} (10) --> MYSSID (10) if ("%{8}") -> TRUE (10) if ("%{8}") { (10) update request { (10) EXPAND %{8} (10) --> MYSSID (10) Called-Station-SSID := "MYSSID" (10) } # update request = noop (10) } # if ("%{8}") = noop (10) [updated] = updated (10) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated (10) ... skipping else for request 10: Preceding "if" was taken (10) } # rewrite_called_station_id rewrite_called_station_id = updated (10) if ( Huntgroup-Name == "wlan" ) (10) if ( Huntgroup-Name == "wlan" ) -> TRUE (10) if ( Huntgroup-Name == "wlan" ) { (10) if ( Called-Station-SSID ) (10) if ( Called-Station-SSID ) -> TRUE (10) if ( Called-Station-SSID ) { (10) if ( Called-Station-SSID == "eduroam" && Realm == "NULL" ) (10) if ( Called-Station-SSID == "eduroam" && Realm == "NULL" ) -> FALSE (10) elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" ) (10) elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" ) -> FALSE (10) } # if ( Called-Station-SSID ) = updated (10) ... skipping else for request 10: Preceding "if" was taken (10) } # if ( Huntgroup-Name == "wlan" ) = updated (10) ... skipping elsif for request 10: Preceding "if" was taken (10) eap : Peer sent code Response (2) ID 10 length 144 (10) eap : Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0x590f140159050ed0 (10) eap : Finished EAP session with state 0xacb99350a5b38a32 (10) eap : Previous EAP request found for state 0xacb99350a5b38a32, released from the list (10) eap : Peer sent method PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes (10) eap_peap : Peap state phase2 (10) eap_peap : EAP type MSCHAPv2 (26) (10) eap_peap : Got tunneled request EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465 server default { (10) eap_peap : Setting User-Name to gerald@example.com Sending tunneled request EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'gerald@example.com' State = 0x590f140159050ed009dc274a52ff2d37 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' NAS-IP-Address = 10.25.1.111 Event-Timestamp = 'Apr 28 2015 10:55:40 CEST' Called-Station-Id := '11-22-33-44-55-66' server inner-tunnel { (10) server inner-tunnel { (10) Request: EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'gerald@example.com' State = 0x590f140159050ed009dc274a52ff2d37 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' NAS-IP-Address = 10.25.1.111 Event-Timestamp = 'Apr 28 2015 10:55:40 CEST' Called-Station-Id := '11-22-33-44-55-66' (10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) update request { (10) } # update request = noop (10) [preprocess] = ok (10) auth_inner_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d (10) auth_inner_log : --> /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428 (10) auth_inner_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428 (10) auth_inner_log : EXPAND %t (10) auth_inner_log : --> Tue Apr 28 10:55:40 2015 (10) [auth_inner_log] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : Looking up realm "example.com" for User-Name = "gerald@example.com" (10) suffix : Found realm "example.com" (10) suffix : Adding Stripped-User-Name = "gerald" (10) suffix : Adding Realm = "example.com" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) update control { (10) Proxy-To-Realm := 'LOCAL' (10) } # update control = noop On 28/04/15 11:09, Arran Cudbard-Bell wrote:
update request { Called-Station-SSID := &outer.Called-Station-SSID }
I tried that but it doesn't work.
I call rewrite_called_station_id after suffix in the authorize section of the default server. I can see it sets Called-Station-SSID correctly.
Mind posting all the debug output? Unless it's super secret...