use_tunneled_reply in PEAP or TTLS tunnels

Herwin Weststrate herwin at
Fri Jun 6 12:03:44 CEST 2014

Hi all,

I was playing around a bit with the option use_tunneled_reply today. The
description given in the config is as follows:

>  The reply attributes sent to the NAS are usually
>  based on the name of the user 'outside' of the
>  tunnel (usually 'anonymous').  If you want to send
>  the reply attributes based on the user name inside
>  of the tunnel, then set this configuration entry to
>  'yes', and the reply to the NAS will be taken from
>  the reply to the tunneled request.

The last part (and the reply to the NAS will be taken from the reply to
the tunneled request) makes me expect that all attributes from the reply
of the home server are copied to the outer reply. In this case it would
be the various attributes to change a VLAN (Tunnel-Type,
Tunnel-Medium-Type and Tunnel-Private-Group-Id).

Looking at the reply, I only see the User-Name attribute updated to my
inner user. The relevant code uses the method pairfilter, which is
described as "Move pairs of a matching attribute number, vendor number
and tag from the the input list to the output list." Basicly, this means
that only values that are already present are overwritten. Not exactly
what I was expecting.

Is this a bug in the code, or is the problem just that the documentation
could use a little clarification?

Herwin Weststrate

More information about the Freeradius-Users mailing list