d.thembiliyagoda@lancaster.ac.uk wrote:
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius server.How can I get the tunnelled User-Name (User-Name used in inner authentication phase) using unlang in FreeRADIUS server? Now I can only get the User-Name used for the outer authentication (ex: anonymous).
PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a double-inner in play. The best suggestion I have (after years of tweaking it to be just right) is in your inner authorize use: ---- authorize { update outer.request { User-Name := "%{request:User-Name}" } update reply { User-Name := "%{request:User-Name}" } [snipped] update reply { Auth-Type := "%{control:Auth-Type}" } } ---- On the outer layer, you then use '%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This means you get the inner username for: * PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications * when your inner server rejects the request (ie. bad password) (this is why you stuff the inner username into outer.request * TTLS/PEAP has the option of TLS cached sessions which is *good*, doing things this way means you still get the inner name for resumed sessions As a bonus, the Auth-Type is extractable..if you use TLS cached sessions, then this will be EAP. Cheers -- Alexander Clouter .sigmonster says: It was Penguin lust... at its ugliest.