Hi, we’ve set up freeradius 3.0 in order to authenticate users through an LDAP server, also users are assigned different VLAN depending on gidNumber ldap attribute. We have 2 enabled sites ‘default’ and ‘inner-tunnel’ Those are the relevant parts of our setup: sites-enabled/default post-auth { if (LDAP-Group == 10000 ) { update reply { Service-Type = Framed-User Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID = 20 } } if (LDAP-Group == 10001 ) { update reply { Service-Type = Framed-User Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID = 40 } } [….] } mods-enabled/ldap user { […] filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))" […] } I’ve ignored most parts of the configuration because they are mostly default configuration. This have been working for several years with no relevant issues, but now we’ve noticed an issue that would like to correct: Windows clients sends ‘anonymous’ as anonymous identity when connecting to wifi after wake up, so outer identity is set to ‘anonymous’ and post-auth section of ‘default’ site gets the outer identity instead of the real one, so the LDAP search is based on ‘anonymous’, user is not found so no LDAP-Group, so no correct VLAN is assigned to that client. This also happens if someone enters “anonymous” as anonymous identity when connecting. Here’s a Access-Request part of a log ending with Access-Accept, but with wrong assigned VLAN. (29) Received Access-Request Id 43 from 192.168.0.19:38666 to 192.168.10.100:1812 length 306 (29) User-Name = "anonymous" (29) NAS-IP-Address = 192.168.0.19 (29) NAS-Identifier = "fa92bf24addf" (29) Called-Station-Id = "FA-92-BF-24-AD-DF:LLEDONER" (29) NAS-Port-Type = Wireless-802.11 (29) Service-Type = Framed-User (29) Calling-Station-Id = "D0-C5-D3-5A-3E-A9" (29) Connect-Info = "CONNECT 0Mbps 802.11b" (29) Acct-Session-Id = "AFE698CF77042B3D" (29) Acct-Multi-Session-Id = "7A7B1A2476F7F9DE" (29) WLAN-Pairwise-Cipher = 1027076 (29) WLAN-Group-Cipher = 1027076 (29) WLAN-AKM-Suite = 1027073 (29) Framed-MTU = 1400 (29) EAP-Message = 0x021e004b158000000041170303003c00000000000000010eb9490a83ceab9db4773eec8b6ebf9a98789e9d07b5f4c3a2653bd425ea8133893eedba6b2e0e5050f6987735a41ba601545c91 (29) State = 0x8492598d818c4c92471f232c19036cae (29) Message-Authenticator = 0x4c9003e6cc19547d42d86a1df23d1a76 (29) session-state: No cached attributes (29) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (29) authorize { (29) policy filter_username { (29) if (&User-Name) { (29) if (&User-Name) -> TRUE (29) if (&User-Name) { (29) if (&User-Name =~ / /) { (29) if (&User-Name =~ / /) -> FALSE (29) if (&User-Name =~ /@[^@]*@/ ) { (29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (29) if (&User-Name =~ /\.\./ ) { (29) if (&User-Name =~ /\.\./ ) -> FALSE (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (29) if (&User-Name =~ /\.$/) { (29) if (&User-Name =~ /\.$/) -> FALSE (29) if (&User-Name =~ /@\./) { (29) if (&User-Name =~ /@\./) -> FALSE (29) } # if (&User-Name) = notfound (29) } # policy filter_username = notfound (29) [preprocess] = ok (29) [chap] = noop (29) [mschap] = noop (29) [digest] = noop (29) suffix: Checking for suffix after "@" (29) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (29) suffix: No such realm "NULL" (29) [suffix] = noop (29) eap: Peer sent EAP Response (code 2) ID 30 length 75 (29) eap: Continuing tunnel setup (29) [eap] = ok (29) } # authorize = ok (29) Found Auth-Type = eap (29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (29) authenticate { (29) eap: Expiring EAP session with state 0x8492598d818c4c92 (29) eap: Finished EAP session with state 0x8492598d818c4c92 (29) eap: Previous EAP request found for state 0x8492598d818c4c92, released from the list (29) eap: Peer sent packet with method EAP TTLS (21) (29) eap: Calling submodule eap_ttls to process data (29) eap_ttls: Authenticate (29) eap_ttls: Continuing EAP-TLS (29) eap_ttls: Peer indicated complete TLS record size will be 65 bytes (29) eap_ttls: Got complete TLS record (65 bytes) (29) eap_ttls: [eaptls verify] = length included (29) eap_ttls: [eaptls process] = ok (29) eap_ttls: Session established. Proceeding to decode tunneled attributes (29) eap_ttls: Got tunneled request (29) eap_ttls: User-Name = "mroig" (29) eap_ttls: User-Password = “******” (29) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (29) eap_ttls: Sending tunneled request (29) Virtual server inner-tunnel received request (29) User-Name = "mroig" (29) User-Password = “******” (29) FreeRADIUS-Proxied-To = 127.0.0.1 (29) NAS-IP-Address = 192.168.0.19 (29) NAS-Identifier = "fa92bf24addf" (29) Called-Station-Id = "FA-92-BF-24-AD-DF:LLEDONER" (29) NAS-Port-Type = Wireless-802.11 (29) Service-Type = Framed-User (29) Calling-Station-Id = "D0-C5-D3-5A-3E-A9" (29) Connect-Info = "CONNECT 0Mbps 802.11b" (29) Acct-Session-Id = "AFE698CF77042B3D" (29) Acct-Multi-Session-Id = "7A7B1A2476F7F9DE" (29) WLAN-Pairwise-Cipher = 1027076 (29) WLAN-Group-Cipher = 1027076 (29) WLAN-AKM-Suite = 1027073 (29) Framed-MTU = 1400 (29) Event-Timestamp = "May 26 2022 09:44:29 CEST" (29) server inner-tunnel { (29) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (29) authorize { (29) policy filter_username { (29) if (&User-Name) { (29) if (&User-Name) -> TRUE (29) if (&User-Name) { (29) if (&User-Name =~ / /) { (29) if (&User-Name =~ / /) -> FALSE (29) if (&User-Name =~ /@[^@]*@/ ) { (29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (29) if (&User-Name =~ /\.\./ ) { (29) if (&User-Name =~ /\.\./ ) -> FALSE (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (29) if (&User-Name =~ /\.$/) { (29) if (&User-Name =~ /\.$/) -> FALSE (29) if (&User-Name =~ /@\./) { (29) if (&User-Name =~ /@\./) -> FALSE (29) } # if (&User-Name) = notfound (29) } # policy filter_username = notfound (29) [chap] = noop (29) [mschap] = noop (29) suffix: Checking for suffix after "@" (29) suffix: No '@' in User-Name = "mroig", looking up realm NULL (29) suffix: No such realm "NULL" (29) [suffix] = noop (29) update control { (29) &Proxy-To-Realm := LOCAL (29) } # update control = noop (29) eap: No EAP-Message, not doing EAP (29) [eap] = noop (29) [files] = noop rlm_ldap (ldap): Reserved connection (2) (29) ldap: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2))) (29) ldap: --> (&(uid=mroig)(|(businessCategory=1)(businessCategory=2))) (29) ldap: Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with filter "(&(uid=mroig)(|(businessCategory=1)(businessCategory=2)))", scope "sub" (29) ldap: Waiting for search result... (29) ldap: User object found at DN "uid=mroig,ou=Gent,ou=lledoner,dc=nigul,dc=coop" (29) ldap: Processing user attributes (29) ldap: control:NT-Password := 0x4431443741394445383432423837443141333545433343363734323637323033 rlm_ldap (ldap): Released connection (2) Need 4 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (29) [ldap] = updated (29) if (noop && User-Password) { (29) if (noop && User-Password) -> FALSE (29) [expiration] = noop (29) [logintime] = noop (29) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (29) [pap] = updated (29) } # authorize = updated (29) Found Auth-Type = PAP (29) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (29) Auth-Type PAP { (29) pap: Login attempt with password (29) pap: Comparing with "known-good" NT-Password (29) pap: User authenticated successfully (29) [pap] = ok (29) } # Auth-Type PAP = ok (29) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (29) post-auth { (29) if (0) { (29) if (0) -> FALSE (29) } # post-auth = noop (29) } # server inner-tunnel (29) Virtual server sending reply (29) eap_ttls: Got tunneled Access-Accept (29) eap: Sending EAP Success (code 3) ID 30 length 4 (29) eap: Freeing handler (29) [eap] = ok (29) } # authenticate = ok (29) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (29) post-auth { (29) if (LDAP-Group == 10000 ) { (29) Searching for user in group "10000" rlm_ldap (ldap): Reserved connection (3) (29) EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2))) (29) --> (&(uid=anonymous)(|(businessCategory=1)(businessCategory=2))) (29) Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))", scope "sub" (29) Waiting for search result... (29) Search returned no results rlm_ldap (ldap): Released connection (3) (29) if (LDAP-Group == 10000 ) -> FALSE (29) if (LDAP-Group == 10001 ) { (29) Searching for user in group "10001" rlm_ldap (ldap): Reserved connection (4) (29) EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2))) (29) --> (&(uid=anonymous)(|(businessCategory=1)(businessCategory=2))) (29) Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))", scope "sub" (29) Waiting for search result... (29) Search returned no results rlm_ldap (ldap): Released connection (4) (29) if (LDAP-Group == 10001 ) -> FALSE (29) if (LDAP-Group == 10032 ) { (29) Searching for user in group "10032" rlm_ldap (ldap): Reserved connection (0) (29) EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2))) (29) --> (&(uid=anonymous)(|(businessCategory=1)(businessCategory=2))) (29) Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))", scope "sub" (29) Waiting for search result... (29) Search returned no results rlm_ldap (ldap): Released connection (0) (29) if (LDAP-Group == 10032 ) -> FALSE (29) update { (29) No attributes updated (29) } # update = noop (29) [exec] = noop (29) policy remove_reply_message_if_eap { (29) if (&reply:EAP-Message && &reply:Reply-Message) { (29) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (29) else { (29) [noop] = noop (29) } # else = noop (29) } # policy remove_reply_message_if_eap = noop (29) } # post-auth = noop (29) Sent Access-Accept Id 43 from 192.168.10.100:1812 to 192.168.0.19:38666 length 0 (29) MS-MPPE-Recv-Key = 0x9d69d88a6eec283428461d5b448a1895c01d1f9fabd804b184bc0e435328efad (29) MS-MPPE-Send-Key = 0x097545e078f9a72d69f885fa90ee1b65e7d0016fcf04a8f87281cf9242240f42 (29) EAP-Message = 0x031e0004 (29) Message-Authenticator = 0x00000000000000000000000000000000 (29) User-Name = "anonymous" (29) Finished request With a little research I’ve found several places that discusses this matter, but none one them offers a solution for us. What we tried is: In sites-enabled/inner-tunnel we set if (0) to if (1) here: # Instead of "use_tunneled_reply", change this "if (0)" to an # "if (1)". # if (1) { # # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } # # Copy the inner reply attributes to the outer # session-state list. The post-auth policy will take # care of copying the outer session-state list to the # outer reply. # update { &outer.session-state: += &reply: } } This didn’t solve the issue. Also tried to add in same section post-auth: udate reply { User-Name := &request:User-Name } Neither solved the issue. So, as you see, we need a little help to make freeradius use the real identity every time it does the LDAP search to get the correct gidNumber, so we can assign the correct VLAN to the client. Thanks a lot. -- *Informació sobre protecció de dades: El responsable del tractament de les dades personals del destinatari és el remitent de la present comunicació. Aquestes dades són tractades per a la satisfacció del nostre interès legítim per a la gestió de contactes i el manteniment de comunicacions recíproques per qüestions derivades de la nostra activitat. Aquestes dades seran conservades mentre siguin útils per a la finalitat indicada, i, en tot cas, durant els terminis legals i per al temps necessari per atendre a possibles responsabilitats nascudes del tractament. Els interessats tenen dret a sol·licitar l'accés a les seves dades personals, la seva rectificació, supressió o portabilitat, la limitació del seu tractament, a oposar-se al tractament, així com a presentar una reclamació davant una autoritat de control.* _Aquest missatge i els seus documents adjunts són confidencials. Si vostè no és el destinatari, per favor posi-ho en coneixement del remitent i elimini aquesta comunicació i els documents adjunts del seu sistema, sense reproduir ni comunicar els seus continguts. La transmissió de correu electrònic no garanteix que sigui segur o lliure d'error, per la qual cosa, declinem qualsevol responsabilitat sobre aquest tema._