On Jun 24, 2020, at 10:41 AM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
By doing this
update outer.state { User-Name := &request:User-Name }
in post-auth at sites-available/inner-tunnel, results in this error:
} # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading pre-proxy {...} # Loading post-proxy {...} # Loading post-auth {...} /etc/freeradius/3.0/sites-enabled/inner-tunnel[374]: Default list "state" specified in mapping section is invalid /etc/freeradius/3.0/sites-enabled/inner-tunnel[286]: Errors parsing post-auth section.
Sorry, that's a typo.
Does it have to be like this?
update outer.session-state { User-Name := &request:User-Name }
Yes.
I am starting to think radical: Enabling filter_inner_identity to block those requests that has different usernames
If you can't update the clients which send the wrong outer identity, there's not much you can do. Rejecting them won't work. Alan DeKok.