Hi, I have a question about the "Login OK" messages in radius.log. We offer both PEAP/MS-CHAPv2 and EAP-TTLS/PAP to our clients Server is FR 3.0.17 on Debian. Upon succesful authentication, the outer and inner virtual server each append a Login OK message to radius.log - so far, so good. Assume the outer id is set to eduroam@staff.uni-marburg.de. With PEAP, I get Wed Jan 23 15:43:45 2019 : Auth: (4903823) Login OK: [pauly1] (from client wlc3 port 13 cli 20:64:32:00:00:01 via TLS tunnel) Wed Jan 23 15:43:45 2019 : Auth: (4903824) Login OK: [eduroam@staff.uni-marburg.de] (from client wlc3 port 13 cli 20:64:32:00:00:01) With EAP-TTLS/PAP, I get Wed Jan 23 15:42:52 2019 : Auth: (4902040) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:00:00:01 via TLS tunnel) Wed Jan 23 15:42:52 2019 : Auth: (4902040) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:00:00:01) So it would seem that in the latter case the outer server still logs the inner id. Is this normal default behavior? Logging the outer id consistently would be really helpful in our case as we use it to trigger a different certificate to be presented to the client. In the post-auth sections of the virtual servers I have: ----------------- sites-available/default -------------- post-auth { ... update { &reply: += &session-state: } ---------------------------------------------------------- -------------- sites-available/inner-tunnel -------------- post-auth { ... update { &outer.session-state: += &reply: &outer.request:User-Name := &User-Name } ---------------------------------------------------------- The debug log does not tell me much in either case, here are the respective post-auth snippets (can provide full if needed): PEAP/MS-CHAPv2: (18) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (18) post-auth { (18) update { (18) &outer.session-state::Airespace-Interface-Name += &reply:Airespace-Interface-Name[*] -> 'edu_staff_nat' (18) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> 802 (18) &outer.session-state::MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed (18) &outer.session-state::MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed (18) &outer.session-state::MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0xb7ea5ac23b2680523f909d667460c17d (18) &outer.session-state::MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0x2c8284d442c7f3d635501c3df519b1ec (18) &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x030e0004 (18) &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000 (18) &outer.session-state::User-Name += &reply:User-Name[*] -> 'pauly1@staff.uni-marburg.de' (18) &outer.request:User-Name := &User-Name -> 'pauly1@staff.uni-marburg.de' (18) } # update = noop (18) update outer.session-state { (18) MS-MPPE-Encryption-Policy !* ANY (18) MS-MPPE-Encryption-Types !* ANY (18) MS-MPPE-Send-Key !* ANY (18) MS-MPPE-Recv-Key !* ANY (18) Message-Authenticator !* ANY (18) EAP-Message !* ANY (18) Proxy-State !* ANY (18) } # update outer.session-state = noop (18) } # post-auth = noop (18) Login OK: [pauly1@staff.uni-marburg.de] (from client rst2 port 13 cli 4c:34:88:e0:aa:42 via TLS tunnel) (18) } # server inner-tunnel (19) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (19) post-auth { (19) update { (19) &reply::Airespace-Interface-Name += &session-state:Airespace-Interface-Name[*] -> 'edu_staff_nat' (19) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> 802 (19) &reply::User-Name += &session-state:User-Name[*] -> 'pauly1@staff.uni-marburg.de' (19) } # update = noop (19) [exec] = noop (19) policy remove_reply_message_if_eap { (19) if (&reply:EAP-Message && &reply:Reply-Message) { (19) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (19) else { (19) [noop] = noop (19) } # else = noop (19) } # policy remove_reply_message_if_eap = noop (19) } # post-auth = noop (19) Login OK: [eduroam@staff.uni-marburg.de] (from client rst2 port 13 cli 4c:34:88:e0:aa:42) EAP-TTLS/PAP: (231) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (231) post-auth { (231) update { (231) &outer.session-state::Airespace-Interface-Name += &reply:Airespace-Interface-Name[*] -> 'edu_staff_nat' (231) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> 802 (231) &outer.request:User-Name := &User-Name -> 'pauly1' (231) } # update = noop (231) update outer.session-state { (231) MS-MPPE-Encryption-Policy !* ANY (231) MS-MPPE-Encryption-Types !* ANY (231) MS-MPPE-Send-Key !* ANY (231) MS-MPPE-Recv-Key !* ANY (231) Message-Authenticator !* ANY (231) EAP-Message !* ANY (231) Proxy-State !* ANY (231) } # update outer.session-state = noop (231) } # post-auth = noop (231) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:3f:80:ef via TLS tunnel) (231) } # server inner-tunnel (231) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (231) post-auth { (231) update { (231) &reply::Airespace-Interface-Name += &session-state:Airespace-Interface-Name[*] -> 'edu_staff_nat' (231) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> 802 (231) } # update = noop (231) [exec] = noop (231) policy remove_reply_message_if_eap { (231) if (&reply:EAP-Message && &reply:Reply-Message) { (231) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (231) else { (231) [noop] = noop (231) } # else = noop (231) } # policy remove_reply_message_if_eap = noop (231) } # post-auth = noop (231) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:3f:80:ef) Any ideas? TIA, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg