Problem with using inner User-Name in outgoing Access-Accept packet
Alan DeKok
aland at deployingradius.com
Wed Jul 3 19:24:13 CEST 2019
On Jul 3, 2019, at 5:45 PM, Alex Sharaz via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I’m having a bit of trouble with getting the inner-tunnel username to
> appear in the outgoing Access-Accept packet.
It should mostly happen automatically in the default configuration.
> Am using sesion-state to pass inner User-Name back to the outer reply
That should work.
> I’ve selectively enabled debugging at both the inner and outer level just
> for auth requests that have an outer anonymous user-name of @york.ac.uk.
> and an inner User-Name of <fred>@york.ac.uk. For those people that haven’t
> configured their clients properly and have outer=inner=userid at york.ac.uk …
> stuff works :-(
Not good.
> if (session-state:User-Name && reply:User-Name && request:User-Name
> && (reply:User-Name == request:User-Name) ) {
>
> update reply {
>
> User-Name !* ANY
>
> }
>
> }
>
>
> # Just to make really sure
>
> update reply {
>
> User-Name !* ANY
>
> }
That shouldn't be needed.
The default configuration in v3 sends the User-Name back in the Access-Accept. See the comments in sites-available/default, in the "post-auth" section.
> If I explicitly add the session-state User-Name value to the reply packet
> by uncommenting the
>
>
> # if ( session-state:User-Name !="@york.ac.uk" &&
> session-state:User-Name =~ /york.ac.uk$/i) {
>
> # update reply {
>
> # User-Name := session-state:User-Name
>
> # }
>
> # }
>
>
> Then what I get are two User-Names in the Access -Accept packet.. both the
> outer and the inner … see below
Yes, the default configuration has explanations for this. It describes when this happens, and why the default configuration does what it does.
Look at the default config. It works.
Alan DeKok.
More information about the Freeradius-Users
mailing list