The recipe is simple:
1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section
2. Make inner Access-Accept contain User-Name. For example
# sites-available/inner-tunnel postauth { update reply { User-Name := "%{request:User-Name}" } }
rlm_eap_peap saves inner reply attributes when use_tunneled_reply=yes. rlm_eap_peap clears reply list and copy over saved reply attributes when it constructs outer >Access-Accept. So User-Name added to inner reply will be copied into outer reply.
I followed exactly your configuration and it worked finally. Thanks very much. I was using the example from the comment in inner-tunnel, post-auth without much thought (sorry, my fault): update outer.reply { User-Name = "%{request:User-Name}" } It doesn't work for me. To recap, the following settings reply the inner identity to outer in my setup: 1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section 2. Add the following in sites-available/inner-tunnel: postauth { update reply { User-Name := "%{request:User-Name}" } } (Note the change from outer.reply to reply and '=' to ':=' in the original example). However, my next problem is: even though FR replies NAS with the inner-identity User-Name at the end, NAS still uses the outer-identity (i.e. the "anonymous identity") to send the accounting packet to FR. I guess it is the problem with the NAS, right? Fu-Keung