I reverted everything back to my own ssid policy but now tried the following at the beginning of the inner-tunnel authorize section: --- /etc/raddb/sites-enabled/inner-tunnel Mon Apr 27 15:08:31 2015 +++ /etc/raddb/sites-enabled/inner-tunnel Tue Apr 28 14:52:09 2015 @@ -46,6 +46,9 @@ # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { + update request { + Local-SSID := "%{outer.request:Local-SSID}" + } and that works: (11) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11) authorize { (11) update request { (11) EXPAND %{outer.request:Local-SSID} (11) --> MYSSID (11) Local-SSID := "MYSSID" (11) } # update request = noop So I guess that should also work with Called-Station-SSID. Any insights? -Gerald On 28/04/15 14:43, Gerald Vogt wrote:
On 28/04/15 14:07, Alan DeKok wrote:
On Apr 28, 2015, at 7:36 AM, Gerald Vogt <vogt@spamcop.net> wrote:
The default server has the Called-Station-Id attribute, it does correctly extract the SSID from the Id and it correctly puts it into the Called-Station-SSID. I even do some checks in unlang based on that SSID in the outer server and they show results as expected.
Hmm... the TTLS / PEAP code only copies over RADIUS *protocol* attributes. It doesn't copy anything else. I suppose that should be documented better.
So I suppose in that context the attribute exists. But it doesn't go into the inner tunnel. Neither by means of the eap module copy_request_to_tunnel=yes nor by the added "update request" in the inner tunnel.
You should be able to do:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
It doesn't work. I have tried that and
update request { Called-Station-SSID := &outer.Called-Station-SSID }
at the beginning of the inner-tunnel authorize section and neither gets any value in the inner tunnel.
If that doesn't work, it's likely a bug.
So it's a bug, I guess.
Yes. I know that. That's how I did it in the beginning. My own "ssid" policy does not modify Called-Station-Id and thus I could extract the SSID in the inner tunnel as well.
Just run the policy in the inner tunnel, not the outer one.
I need the SSID in the outer server, too. So I guess it's back to square one and I better use my own policy which simply extracts the SSID. That policy I can use on both servers...
-Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html