Pass attributes from inner-tunnel to outer Access-Accept reply

Matthew Newton mcn at
Thu May 27 17:19:21 CEST 2021

On 27/05/2021 16:00, Matteo Raffa wrote:
> Specifically, I have set Tunnel-Private-Group-ID on LDAP for each user, so I need to pass this together with Tunnel-Type := 13 and Tunnel-Medium-Type := 6.


> At this point I went in inner-tunnel in post-auth and tried to have the above mentioned attributes passed to outer reply
> 	#
> 	#  Instead of "use_tunneled_reply", change this "if (0)" to an
> 	#  "if (1)".
> 	#
> 	if (1) {
> 		#
> 		#  These attributes are for the inner-tunnel only,
> 		#  and MUST NOT be copied to the outer reply.
> 		#
> 		update reply {
> 			User-Name !* ANY
> 			Message-Authenticator !* ANY
> 			EAP-Message !* ANY
> 			Proxy-State !* ANY
> 			MS-MPPE-Encryption-Types !* ANY
> 			MS-MPPE-Encryption-Policy !* ANY
> 			MS-MPPE-Send-Key !* ANY
> 			MS-MPPE-Recv-Key !* ANY
> 			Tunnel-Type := 13
> 			Tunnel-Medium-Type := 6
> 			Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
> 		}

This is for deleting attributes that are in the inner tunnel and should 
not be in the reply. You could set Tunnel-Type and Tunnel-Medium-Type 
here, but the last line is a no-op.

> 		#
> 		#  Copy the inner reply attributes to the outer
> 		#  session-state list.  The post-auth policy will take
> 		#  care of copying the outer session-state list to the
> 		#  outer reply.
> 		#
> 		update {
> 			&outer.session-state: += &reply:
> 		}

Your last debug doesn't show this. Have you removed it? It copies the 
inner tunnel reply into the session-state list. The outer post-auth then 
copies the session-state list into the final reply.

> 	}
> And that’s where I start to get errors (see the second debug log).
> The update outer session-state block returns this error: ERROR: Mapping "&reply:" -> "&outer.session-state:" invalid in this context
 > I tried to sort that out and did various tests for the past day, but 
I really couldn’t understand what that is due to.

That's because you are testing against the inner tunnel directly, so 
there is no "outer" to copy to.

> I get the same error even if I remove the attribute assignment from ldap module and keep the default in update reply block in inner tunnel (so without the Tunnel-* stuff I added), so I can’t really understand where it comes from.

Use e.g. eapol_test to send debug requests to the main virtual server on 
port 1812, rather than radtest to the inner tunnel.

> It seems that the problem only arise when the reply gets copied to the outer session-state, in fact, if I comment that update block out, the inner-tunnel reply is correctly built and sent with Access-Accept (See third debug log).
> Can you point me in the right direction?

Make sure the session-state stuff is still there, bot in the 
inner-tunnel and in post-auth section of the outer server.

Send tests to the outer virtual server, not the inner.

Then it will work.


More information about the Freeradius-Users mailing list