Not able to receive inner identity in Access-Accept (Problem revisited)

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Thu Jan 15 09:42:57 CET 2015


Hi,

On Thu, Jan 15, 2015, at 5:49, Lai Fu Keung <tfklai at hku.hk> wrote:
> Hi,
>
> I am trying in configure my FR v3.0.4 to pass inner identity to outer in
eap-peap setup. I read some of the old mails with similar issues, like the
following:
> 
>
http://lists.freeradius.org/pipermail/freeradius-users/2014-August/073458.ht
ml
> 
> I made the following setting as suggested in the mail:
>
> 1. Update outer reply in file inner-tunnel, post auth:
>  update outer.reply {
>           User-Name = "%{request:User-Name}"
>         }
> 2. Set "use_tunneled_reply=yes" in file eap

IIRC, when you set use_tunneled_reply to yes, all updates to outer.reply are
ignored and the outer reply is filled with attributes from the original
Access-Request. That's why you get User-Name filled with the outer anonymous
identity. Try setting that to no and filling the outer reply with any other
attributes you need in that update outer.reply block.

>
> With the above setting, I still couldn't get it working. I compared my
debug with that of above article. I see the difference at this line:
>
> eap_peap : Using saved attributes from the original Access-Accept
>         Stripped-User-Name = 'bob'
>
> The above article uses "User-Name". Is this the difference?
>
> I use "Stripped-User-Name" for actual authentication against ldap, but
want "User-Name" (with domain) for logging and accounting. I am not sure
when they are used in different phases.
> At near the end of the debug, I even see:
>
> Stripped-User-Name = 'bigman'
>
> which is obviously wrong, as 'bigman' is the name I made up for "Anonymous
Identity".
>
> Can anyone give me a clue what I have done wrong? Thanks in advance. Debug
log follows.
>
> Fu-Keung

Enrique Sainz Baixauli




More information about the Freeradius-Users mailing list