Copy User-Name from inner-tunnel to default only once

Sven Hartge sven at
Thu Nov 19 13:09:47 CET 2020


I am sorry for the strange subject but I can't find a shorter description
that still makes some sense.

First: I got this working already in the way I need it but I want to
solicit a maybe more elegant or better solution I may have not seen.

Second: This is for 3.0.21.

Third: This needs a bit of explanation up front before I come to my
question, please bear with me.

What am I doing: I have the usual default/inner-tunnel setup needed for
Wifi+EAP in Eduroam and this all works fine, no problems here.

And I use the "update {  &reply: += &session-state: }" method to copy
specific attributes from the inner-tunnel into the outer one, most
important those to steer the VLAN assignment. This also works nice.

Now here is the wrinkle: To aid the internal accounting I also need to
provide the internal APs and Controllers with the inner-User-Name but not
in requests leaving via the federation servers to Eduroam.

Until recently I had a setup like this:

# inner-tunnel vhost
post-auth {
  update reply {
          Message-Authenticator !* ANY
          EAP-Message !* ANY
          Proxy-State !* ANY
          MS-MPPE-Encryption-Types !* ANY
          MS-MPPE-Encryption-Policy !* ANY
          MS-MPPE-Send-Key !* ANY
          MS-MPPE-Recv-Key !* ANY
          User-Name !* ANY

  # If internal Wifi system, readd User-Name
  if ("%{client:thmtype}" =~ /^aruba-wlan-/) {
          update reply {
                  &User-Name := &User-Name
} # /inner-tunnel vhost

"thmtype" is an additional key I add via client.conf for internal systems
needing this. This also works fine. 

But this creates reply packages with _two_ User-Name attributes in
Access-Accept, because the "copy from session state" adds the internal
Username to the reply.

But this worked for our Aruba IAPs with Virtual Controller, our Wifi guys
saw the real username in their logs and in the accounting database.

Now we upgraded to Aruba Mobility Controller and they choke on the
duplicate User-Name attribute in the Access-Accept, the device never gets
fully authenticated though the controller clearly receives the

To avoid that problem, I now also changed the default VHost to this:

# default vhost
post-auth {
  # Overwrite User-Name in Reply with inner-tunnel
  # and remove from session-state to avoid duplication
  if ("%{client:thmtype}" =~ /^aruba-wlan-/) {
          update {
                  &reply:User-Name := &session-state:User-Name
                  &session-state:User-Name !* ANY
  # Add rest of inner-tunnel attributes to reply
  update {
          &reply: += &session-state:
} # /default vhost

This works fine, but after all those many words, the question:

Is there a more elegant or simpler way to achieve this I didn't see?


More information about the Freeradius-Users mailing list