InnerAttributes not escaped when transmitted to outter

Stun Box stunbox at
Tue Jun 2 11:23:54 CEST 2009

I set in copy_tunnel_reply to yes and I use the inner-tunnel user-name
in my default / post-auth.

And I still have the real user-name hidden.

In default / post-auth :

 update reply{
                User-Name := "%{request:User-Name}"
                Tunnel-Medium-Type = 6
                Tunnel-Type = 13
                Tunnel-Private-Group-Id =
`/usr/local/etc/raddb/getVlan %{reply:User-Name}`

It will now work nicely with your fix. Thanks

2009/6/2 Alan DeKok <aland at>:
> A.L.M.Buxey at wrote:
>> does this fix mean that TTLS and PEAP get the inner identity copied
>> correctly so there is no more need for
>>         update outer.reply {
>>                 User-Name = "%{User-Name}"
>>         }
>  That's still needed.  The question is what do you want the server to
> do.  Always over-ride the outer name with the inner one?  If so, why is
> the outer one "anonymous", and the inner one "user at realm"?
>  i.e. "anonymous" is being used to hide the inner name... which
> promptly gets exposed with that rule.  Is this a good idea?
>  What else could be done to be secure, but also useful?
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list