On Jan 25, 2019, at 11:12 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
I think I've tracked it down to some point. I double-checked with eapol_test as opposed to real supplicant+Cisco WLAN controller (never trust their gear blindly ...), but got the identical result.
OK.
But copying the inner User-Name to &outer.request causes the inner User-Name to appear in both "Login OK" messages of a EAP-TTLS/PAP authentication.
Well, yes. Editing the User-Name causes the User-Name to be edited.
If I comment out the statement like this -------------- sites-available/inner-tunnel --------------- post-auth { ... update { &outer.session-state: += &reply: #### &outer.request:User-Name := &User-Name } ----------------------------------------------------------- I get the normal behavior.
Which is why that isn't in the default config. It's wrong.
It also makes some sense from a superficial point of view, as we do overwrite the outer User-Name. E.g. you would just need to get order of execution wrong to produce my kind of problem (overwite, log, send Access-Accept vs. log, overwite, send Access-Accept) -- or something else with that effect.
It's best to *not* edit the User-Name. But it's up to you. You can reorder your config to avoid the problem. Alan DeKok.