Inner identity in accounting logs

Arran Cudbard-Bell A.Cudbard-Bell at
Tue Feb 3 19:42:38 CET 2009

Hash: SHA1

Jonathan Gazeley wrote:
> No - this is a completely standard FreeRADIUS configuration. Nothing
> relating to rewriting anything has been changed.
> In the debug log posted in one of my earlier messages, it appears the FR
> server sends an Access-Challenge packet from the inner server using my
> statically set outer ID (testing-jg4461). But immediately after, it
> reverts to using the original outer ID (qwerty99). Then this username
> shows in accounting.
> This doesn't happen when I set the outer ID in the outer server. In that
> case, the statically set outer ID sticks and appears in accounting.
> What's the difference between using an identical piece of code in inner
> or outer servers?

As far as i'm aware this has never worked, which is why I still return
attributes from the inner tunnel and get it that way.

eap {

	peap {
		use_tunneled_reply = yes
		virtual_server = "local.user.inner"

server local.user.inner {
	post-auth {
		#  Return inner identity to use in final accept
		update reply {
			User-Name := "%{Stripped-User-Name}"

You can then apply your authorisation policy in post-auth where it
should be already :P .

Alan, If the last round of the EAP conversation didn't require data to
be sent to the inner server the outer.User-Name attribute would just be
discarded right? Or do you store those attributes in the same place you
store the tunneled-reply ?


> Alan DeKok wrote:
>> Jonathan Gazeley wrote:
>>> Sorry to 'bump' my previous post. I'm at a loss as to why FreeRADIUS
>>> expands the username as expected, but why this username never makes it
>>> back to the NAS. Does anyone have any ideas?
>>   No idea... is there anything else that's over-writing the User-Name?
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

- --
Arran Cudbard-Bell (A.Cudbard-Bell at,
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the Freeradius-Users mailing list