Not able to receive inner identity in Access-Accept (Problem revisited)

Lai Fu Keung tfklai at
Fri Jan 16 08:40:55 CET 2015

>The recipe is simple:
>1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section
>2. Make inner Access-Accept contain User-Name. For example
># sites-available/inner-tunnel
>postauth {
>   update reply {
>       User-Name := "%{request:User-Name}"
>    }
>rlm_eap_peap saves inner reply attributes when use_tunneled_reply=yes. 
>rlm_eap_peap clears reply list and copy over saved reply attributes when it constructs outer >Access-Accept. So User-Name added to inner reply will be copied into outer reply.

I followed exactly your configuration and it worked finally. Thanks very much. 

I was using the example from the comment in inner-tunnel, post-auth without much thought (sorry, my fault):
  update outer.reply {
	User-Name = "%{request:User-Name}"
It doesn't work for me.

To recap, the following settings reply the inner identity to outer in my setup:
1. Set "use_tunnneled_reply=yes" in raddb/modules/eap, peap section
2. Add the following in sites-available/inner-tunnel:
postauth {
   update reply {
       User-Name := "%{request:User-Name}"
(Note the change from outer.reply to reply and '=' to ':=' in the original example).

However, my next problem is: even though FR replies NAS with the inner-identity User-Name at the end, NAS still uses the outer-identity (i.e. the "anonymous identity") to send the accounting packet to FR. I guess it is the problem with the NAS, right?


More information about the Freeradius-Users mailing list