Not able to receive inner identity in Access-Accept (Problem revisited)
Lai Fu Keung
tfklai at hku.hk
Fri Jan 16 08:40:55 CET 2015
>The recipe is simple:
>
>1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section
>
>2. Make inner Access-Accept contain User-Name. For example
>
># sites-available/inner-tunnel
>postauth {
> update reply {
> User-Name := "%{request:User-Name}"
> }
>}
>
>rlm_eap_peap saves inner reply attributes when use_tunneled_reply=yes.
>rlm_eap_peap clears reply list and copy over saved reply attributes when it constructs outer >Access-Accept. So User-Name added to inner reply will be copied into outer reply.
I followed exactly your configuration and it worked finally. Thanks very much.
I was using the example from the comment in inner-tunnel, post-auth without much thought (sorry, my fault):
update outer.reply {
User-Name = "%{request:User-Name}"
}
It doesn't work for me.
To recap, the following settings reply the inner identity to outer in my setup:
1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section
2. Add the following in sites-available/inner-tunnel:
postauth {
update reply {
User-Name := "%{request:User-Name}"
}
}
(Note the change from outer.reply to reply and '=' to ':=' in the original example).
However, my next problem is: even though FR replies NAS with the inner-identity User-Name at the end, NAS still uses the outer-identity (i.e. the "anonymous identity") to send the accounting packet to FR. I guess it is the problem with the NAS, right?
Fu-Keung
More information about the Freeradius-Users
mailing list