On 13/09/2024 11:34, Connor Herring wrote:
I think I have found why it is sending the username in the Access Accept (update outer.session-state is uncommented) so that's ok but is there a way for me to be sure it's being tunneled? The debug logs state "eap_ttls: Got tunneled Access-Accept" and the logs state the final auth accept came "Via TLS Tunnel" so this would lead me to believe it's fine but is that enough to go on? Just trying to cover everything.
The TLS tunnel protects the authentication, not the full RADIUS exchange. VLAN attributes are always outside the tunnel, they are standard RADIUS attributes. If you want the whole lot hidden you'll need to configure RadSec, but most RADIUS clients won't support that. The reply User-Name is set to whatever the FreeRADIUS policy sets it to, so if you are copying the inner tunnel User-Name back to the outer reply (e.g. via session-state) then that is what will get sent. The debug output will show what is happening. Note that a lot of devices will send the reply User-Name back as the User-Name in accounting messages, so if you want accounting to make sense you may need to send something clear back in the reply. But (without seeing any debug logs), sounds like it's all working as expected. -- Matthew