Outer vs. inner ID in Login OK messages

Martin Pauly pauly at hrz.uni-marburg.de
Fri Jan 25 17:12:32 CET 2019

Hello Alan,

Am 23.01.19 um 17:40 schrieb Alan DeKok:
>    Hmm.. when I try it with the v3.0.x head, I get:
> (6)   Login OK: [bob] (from client localhost port 0 via TLS tunnel)
> (6) Login OK: [anonymous] (from client localhost port 0 cli 02-00-00-00-00-01)

I think I've tracked it down to some point.
I double-checked with eapol_test as opposed to real supplicant+Cisco WLAN controller
(never trust their gear blindly ...), but got the identical result.

But copying the inner User-Name to &outer.request causes the inner User-Name to
appear in both "Login OK" messages of a EAP-TTLS/PAP authentication.

If I comment out the statement like this
-------------- sites-available/inner-tunnel ---------------
post-auth {
        update {
                  &outer.session-state: += &reply:
####             &outer.request:User-Name := &User-Name
I get the normal behavior. It also makes some sense from a superficial point of view,
as we do overwrite the outer User-Name. E.g. you would just need to get order of
execution wrong to produce my kind of problem (overwite, log, send Access-Accept vs.
log, overwite, send Access-Accept) -- or something else with that effect.

Cheers, Martin

   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190125/8d4cf26a/attachment.bin>

More information about the Freeradius-Users mailing list