use_tunneled_reply in PEAP or TTLS tunnels

Alan DeKok aland at
Fri Jun 6 13:44:09 CEST 2014

Herwin Weststrate wrote:
> The last part (and the reply to the NAS will be taken from the reply to
> the tunneled request) makes me expect that all attributes from the reply
> of the home server are copied to the outer reply. In this case it would
> be the various attributes to change a VLAN (Tunnel-Type,
> Tunnel-Medium-Type and Tunnel-Private-Group-Id).

  Yes, that should happen.

> Looking at the reply, I only see the User-Name attribute updated to my
> inner user. The relevant code uses the method pairfilter, which is
> described as "Move pairs of a matching attribute number, vendor number
> and tag from the the input list to the output list." Basicly, this means
> that only values that are already present are overwritten. Not exactly
> what I was expecting.

  And not what the documentation for pairfilter says.  It helps to read
ALL of it:

 * @param[in] attr to match, if PW_VENDOR_SPECIFIC and vendor 0, only
VSAs will
 *	      be copied.  If 0 and 0, all attributes will match
 * @param[in] vendor to match.
 * @param[in] tag to match, TAG_ANY matches any tag, TAG_NONE matches
tagless VPs.

> Is this a bug in the code, or is the problem just that the documentation
> could use a little clarification?

  The code should work as documented.  Since you haven't posted any
debug output, there's no reason to think otherwise.

  Alan DeKok.

More information about the Freeradius-Users mailing list