how to do accounting with the inner identity

Alexander Clouter alex at
Mon Jan 24 14:21:45 CET 2011

Eric Doutreleau <Eric.Doutreleau at> wrote:
> I m trying to use freeradius 2.1.10 and to make authenticate my users 
> with eap-ttls process and a ldap server for the backend
> All is running fine but i can't succeed to have the accounting done with 
> the inned identity of the ttls tunnel.
It all looks fine at your end, as you pass the 'new' User-Name in the 
Access-Accept back to your NAS.  RFC2865 says your NAS *should* then 
mark the Accounting packets appropriately with the new User-Name, this is 
*not* a must though and optional

> I can see the Username "updated" in the the following debug log but in 
> the accounting it s the outer identity that is used.
> Does someone know what i can do to make the accounting with the inner 
> identity
> [snipped: freeradius -X]
Your debug does not show *any* accounting traffic being sent to 
FreeRADIUS (none that I could see) after your Access-Accept.  If your 
NAS does not send the new User-Name attribute in the Accounting Request, 
then I recommend you wave the RFC2865 link I gave above at your vendor.


Alexander Clouter
.sigmonster says: My weight is perfect for my height -- which varies.

More information about the Freeradius-Users mailing list