Trying not to send outer identity in the Access-Accept message

Alan DeKok aland at
Wed Dec 11 17:19:41 CET 2019

On Dec 11, 2019, at 11:12 AM, Torres López María Isabel <isabel.torres at> wrote:
> Currently, we are running Freeradius 3.0.11.

  3.0.20 is the newest release.  It has some changes to the policies which affect the outer identity in the Access-Accept.

> It works correctly with our wireless controler, but when we upgrade the firmware of our wireless controlles, the users are not able to stablish sesión anymore.
> The problem is that the freeradius is sending two User-Name values in the Access-Accept packet (the inner and the outer identity), and the Wireless controler detects two values and drops the packet. The authentication is correct, but the Wireless controller does not stablish the user sesión.
> Besides, as the Freeradius sends both identities, sometimes the accountings shows the outer identity, not the inner one.
> ¿Is there any way to send only the inner identity in the Access-Accept packet?

  Upgrade to 3.0.20, and see the new policies in sites-available/default:

	#  If both session-state and reply contain a User-Name attribute, remove
	#  the one in the reply if it is just a copy of the one in the request, so
	#  we don't end up with two User-Name attributes.

	if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
		update reply {
			&User-Name !* ANY
	update {
		&reply: += &session-state:

  You may also be able to edit the policies in 3.0.11 to copy the above.  See the "default" virtual server for more details.

  Alan DeKok.

More information about the Freeradius-Users mailing list