Not able to receive inner identity in Access-Accept in EAP-TTLS.

Axel Luttgens axel.luttgens at
Mon Sep 1 14:40:27 CEST 2014

Le 1 sept. 2014 à 11:18, Axel Luttgens a écrit :

> [...]
> I'll try to submit a piece of text as soon as possible.

So, the idea would be to replace:

		#  The reply attributes sent to the NAS are usually
		#  based on the name of the user 'outside' of the
		#  tunnel (usually 'anonymous').  If you want to send
		#  the reply attributes based on the user name inside
		#  of the tunnel, then set this configuration entry to
		#  'yes', and the reply to the NAS will be taken from
		#  the reply to the tunneled request.

with something like this:

		#  It may sometimes be needed to propagate data from
		#  the inner session to the outer one.
		#  The classical example is to augment the outer reply
		#  packet with a User-Name attribute bearing the user's
		#  inner-identity, so that the NAS emits its subsequent
		#  accounting packets with that identity.
		#  When set to "yes", this configuration entry allows
		#  to add attributes, even private ones, to the inner
		#  reply and to make them available in the reply handled
		#  by the outer session (where they can even be further
		#  massaged).
		#  Note that this setting allows to ensure that the
		#  saved attributes are restored in the last packet of
		#  the outer session that opened the tunnel; this is to
		#  be contrasted with a simple "update outer.reply"
		#  performed in the inner-tunnel.


More information about the Freeradius-Users mailing list