On Nov 4, 2025, at 3:54 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/093770...
And there are also examples in the FreeRADIUS inner-proxy configuration file:
Do not post the configuration files to the list. We know what's in them. We don't need to see them posted to the list.
We use PEAP/MS-CHAPv2 on our eduroam SSID.
Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous@unibe.ch accounts, this will be used for further processing in a cloud service.
But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this.
Reading the debug output, the inner-tunnel virtual server is being run. But the lnner-tunnel "Post-Auth-Type" isn't being run.
But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)?
Just copy it in another section in the inner-tunnel. if (!&outer.config:User-Name) { update { &outer.config:User-Name := &User-Name } } Alan DeKok.