Get inner tunnel attributes to outer server for logging.

Dom Latter freeradius-users at latter.org
Tue Jun 5 18:28:04 CEST 2018



On 30/05/18 17:15, Dom Latter wrote:
> On 30/05/18 17:07, Alan Buxey wrote:
>  > Just use inland to copy the stuff to outer: when in inner. The default
>  > inner-tunnel had such an example
> 
> Yes, the copying back works as long as the inner-tunnel authentication
> works.  If the user is rejected then the username does not get passed
> back, although the failure message does.

I put this in the inner tunnel post-auth section:

	update outer.session-state {
		&User-Name = &User-Name
	}

mods-enabled/linelog has something like:

Access-Accept  = "%S %{reply:Packet-Type} %{%{session-state:User-
Name}:-%{%{reply:User-Name}:-%{request:User-Name}}} %{Calling-
Station-Id} <snip the rest>

mods-config/sql/main/mysql/queries.conf has
sql_user_name = "%{%{session-state:User-Name}:-%{%{reply:User-Name}:-%
{request:User-Name}}}"

and that seems to more or less do the job.

The SQL query that is part of the post-authentication in the "outer"
layer now uses:
  WHERE u.username = '%{%{reply:User-Name}:-%{request:User-Name}}'
which again seems fine.

I read something in the list archive about it being a bad idea to use
"use_tunneled_reply" when using mschapv2 - should I worry about this?


More information about the Freeradius-Users mailing list