Outer vs. inner ID in Login OK messages

Alan DeKok aland at deployingradius.com
Fri Jan 25 17:50:08 CET 2019

On Jan 25, 2019, at 11:12 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> I think I've tracked it down to some point.
> I double-checked with eapol_test as opposed to real supplicant+Cisco WLAN controller
> (never trust their gear blindly ...), but got the identical result.


> But copying the inner User-Name to &outer.request causes the inner User-Name to
> appear in both "Login OK" messages of a EAP-TTLS/PAP authentication.

  Well, yes.  Editing the User-Name causes the User-Name to be edited.

> If I comment out the statement like this
> -------------- sites-available/inner-tunnel ---------------
> post-auth {
>        ...
>       update {
>                 &outer.session-state: += &reply:
> ####             &outer.request:User-Name := &User-Name
>        }
> -----------------------------------------------------------
> I get the normal behavior.

  Which is why that isn't in the default config.  It's wrong.

> It also makes some sense from a superficial point of view,
> as we do overwrite the outer User-Name. E.g. you would just need to get order of
> execution wrong to produce my kind of problem (overwite, log, send Access-Accept vs.
> log, overwite, send Access-Accept) -- or something else with that effect.

  It's best to *not* edit the User-Name.  But it's up to you.  You can reorder your config to avoid the problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list