Not able to receive inner identity in Access-Accept (Problem revisited)

Enrique Sainz Baixauli enriquesainz.beca at
Thu Jan 15 09:42:57 CET 2015


On Thu, Jan 15, 2015, at 5:49, Lai Fu Keung <tfklai at> wrote:
> Hi,
> I am trying in configure my FR v3.0.4 to pass inner identity to outer in
eap-peap setup. I read some of the old mails with similar issues, like the
> I made the following setting as suggested in the mail:
> 1. Update outer reply in file inner-tunnel, post auth:
>  update outer.reply {
>           User-Name = "%{request:User-Name}"
>         }
> 2. Set "use_tunneled_reply=yes" in file eap

IIRC, when you set use_tunneled_reply to yes, all updates to outer.reply are
ignored and the outer reply is filled with attributes from the original
Access-Request. That's why you get User-Name filled with the outer anonymous
identity. Try setting that to no and filling the outer reply with any other
attributes you need in that update outer.reply block.

> With the above setting, I still couldn't get it working. I compared my
debug with that of above article. I see the difference at this line:
> eap_peap : Using saved attributes from the original Access-Accept
>         Stripped-User-Name = 'bob'
> The above article uses "User-Name". Is this the difference?
> I use "Stripped-User-Name" for actual authentication against ldap, but
want "User-Name" (with domain) for logging and accounting. I am not sure
when they are used in different phases.
> At near the end of the debug, I even see:
> Stripped-User-Name = 'bigman'
> which is obviously wrong, as 'bigman' is the name I made up for "Anonymous
> Can anyone give me a clue what I have done wrong? Thanks in advance. Debug
log follows.
> Fu-Keung

Enrique Sainz Baixauli

More information about the Freeradius-Users mailing list