-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arran Cudbard-Bell wrote:
Alan DeKok wrote:
Jonathan Gazeley wrote:
I'm running FreeRADIUS 2.1.1.
My config block in the post-auth section of the inner-tunnel server currently reads:
update outer.reply { User-Name := "testing-%{User-Name}" }
FR does indeed appear to be using this block: Just checking this again...
expand: testing-%{User-Name} -> testing-jg4461 ++[outer.reply] returns ok
Authenticating with outer ID "qwerty99" and inner ID "jg4461" gives output as in the attached log, included to give context. The outer server is "uobresnet" and the inner one is still called "inner-tunnel". This works for me in the most recent git tree. I set "outer.reply" with a different User-Name, and I see it in the final reply.
Ok, i'll confirm that shortly...
Yep it works: rad_recv: Access-Request packet from host 139.184.8.16 port 1024, id=90, length=312 Framed-MTU = 1480 NAS-IP-Address = 139.184.8.16 NAS-Identifier = "hp-e-uscs-dev-h-sw1" User-Name = "anonymous@sussex.ac.uk" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-14-38-fb-94-00" Calling-Station-Id = "00-1f-5b-33-42-a1" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" [ttls] Got tunneled request User-Name = "ac221" User-Password = "***" FreeRADIUS-Proxied-To = 127.0.0.1 [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} expand: %{Stripped-User-Name} -> ac221 ++[outer.reply] returns noop [ttls] Got tunneled reply code 2 [ttls] Got tunneled Access-Accept [ttls] Saving response in the cache ++[eap] returns ok ++? if ("%{reply:User-Name}") expand: %{reply:User-Name} -> ac221 ? Evaluating ("%{reply:User-Name}") -> TRUE ++? if ("%{reply:User-Name}") -> TRUE ++- entering if ("%{reply:User-Name}") {...} expand: %{reply:User-Name} -> ac221 +++[request] returns ok +++- entering policy uidrewrite {...} ++++? if ("%{request:User-Name}") expand: %{request:User-Name} -> ac221 ? Evaluating ("%{request:User-Name}") -> TRUE ++++? if ("%{request:User-Name}") -> TRUE ++++- entering if ("%{request:User-Name}") {...} +++++? if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) expand: %{request:User-Name} -> ac221 ? Evaluating ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) - -> TRUE +++++? if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE +++++- entering if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {...} expand: %{1} -> ac221 ++++++[request] returns ok expand: %{3} -> expand: %{%{3}:-sussex.ac.uk} -> sussex.ac.uk ++++++[request] returns ok +++++- if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) returns ok +++++ ... skipping else for request 20: Preceding "if" was taken ++++- if ("%{request:User-Name}") returns ok +++- policy uidrewrite returns ok expand: %{Stripped-User-Name}@%{Stripped-User-Domain} -> ac221@sussex.ac.uk +++[reply] returns ok ++- if ("%{reply:User-Name}") returns ok All good :) That's with copy_request_to_tunnel = no and use_tunneled_reply = no The complex looking stuff is just the server combining the outer domain with the inner identity to produce a routeable, non-anonymised username for the NAS to use in accounting packets... Thanks, Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmdmp8ACgkQcaklux5oVKKQcwCgj8P+xP6PQltZpCpUf4t4DIZy lLoAn0qmPPGH+eTUg9ielnI5DrAfmvF4 =LsgH -----END PGP SIGNATURE-----