Hello Alan, Am 23.01.19 um 17:40 schrieb Alan DeKok:
Hmm.. when I try it with the v3.0.x head, I get:
(6) Login OK: [bob] (from client localhost port 0 via TLS tunnel) (6) Login OK: [anonymous] (from client localhost port 0 cli 02-00-00-00-00-01)
I think I've tracked it down to some point. I double-checked with eapol_test as opposed to real supplicant+Cisco WLAN controller (never trust their gear blindly ...), but got the identical result. But copying the inner User-Name to &outer.request causes the inner User-Name to appear in both "Login OK" messages of a EAP-TTLS/PAP authentication. If I comment out the statement like this -------------- sites-available/inner-tunnel --------------- post-auth { ... update { &outer.session-state: += &reply: #### &outer.request:User-Name := &User-Name } ----------------------------------------------------------- I get the normal behavior. It also makes some sense from a superficial point of view, as we do overwrite the outer User-Name. E.g. you would just need to get order of execution wrong to produce my kind of problem (overwite, log, send Access-Accept vs. log, overwite, send Access-Accept) -- or something else with that effect. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg