On May 3, 2022, at 6:52 PM, Samuel Walker-Kierluk via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I’ve got FreeRADIUS handling our “eduroam” needs at my university. Users from outside our realms are proxied to the national eduroam proxies, and users matching our realms are handled locally: -Authentication: PEAP-MSCHAPv2 authentication (using ntlm_auth) against our Active Directory domain controllers -Post-Auth in outer server file: for users of our own realm and on our own campus’s network, I use a few “if” statements (one based on a username pattern, another based on an LDAP-Group lookup of Stripped-User-Name) to send the VLAN ID to the access point.
That's good.
This works wonderfully when using the same inner and outer identity, but after I set up anonymous outer identities on my clients, the VLAN ID assignment in the post-auth section doesn’t work properly, as it uses the outer identity “anonymous” instead of the username from the inner tunnel.
So move the checks to the inner-tunnel. The only magic is you should then add the VLAN attributes to the outer.session-state list. The "post-auth" section will automatically add them to the outer reply. See the "post-auth" section of the inner-tunnel virtual server, and the post-auth section of the default virtual server. # # For EAP-TTLS and PEAP, add the cached attributes to the reply. # The "session-state" attributes are automatically cached when # an Access-Challenge is sent, and automatically retrieved # when an Access-Request is received. Alan DeKok.