User + Device Authentication to Specific Network

Duncan X Simpson virtualdxs at
Mon Jun 10 23:04:15 CEST 2019

On Mon, Jun 10, 2019 at 1:46 PM Alan DeKok <aland at>
>   Which shows you're running EAP.  Which would have been good to know.

I apologize, I thought 802.1X implied EAP.

>   Again, *read* the debug output.  ALL OF IT.  If it's hard to read, see:
>   You're doing EAP.  And running the "inner-tunnel" virtual server.
Which DOES show the request it receives.  AND it shows that request doesn't
contain Calling-Station-Id.

I see, I was under the impression that the proxied packet showed up as a
(1)/(2)/etc, rather than part of the outer one.

>   If you want to access the *outer* Calling-Station-ID attribute, you can
do %{outer.request:Calling-Station-Id}.  See "man unlang" for details.

That did it, and the whole thing makes a lot more sense to me now.

I have one last question relating to this. I couldn't find it anywhere in
the docs. How do I determine if a user is in a given group in unlang? I can
set an attribute in radgroupreply if I need to, but I figure there's
probably a cleaner way than that.

More information about the Freeradius-Users mailing list