FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Thorsten Fritsch thorsten.fritsch at unibas.ch
Mon Nov 19 16:05:59 CET 2018


Hi guys,

we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
hard to identify our eduroam users (user tracking).

Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
We have set this setting to yes in our config:

ttls {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                virtual_server = "eduroam-inner-tunnel"
        }

        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                virtual_server = "eduroam-inner-tunnel"
        }

Thanks for your help.

Cheers,
Thorsten



More information about the Freeradius-Users mailing list