Pass attributes from inner-tunnel to outer Access-Accept reply

Matteo Raffa matteo.raf at
Fri May 28 09:52:01 CEST 2021

> This is for deleting attributes that are in the inner tunnel and should not be in the reply. You could set Tunnel-Type and Tunnel-Medium-Type here, but the last line is a no-op.

You’re right. That attribute is already in the reply, so I can skip it.

> Your last debug doesn't show this. Have you removed it? It copies the inner tunnel reply into the session-state list. The outer post-auth then copies the session-state list into the final reply.

Yes, I commented that block out as you can see in the third debug output, just to test if the inner reply was updated correctly.

> That's because you are testing against the inner tunnel directly, so there is no "outer" to copy to.
> Make sure the session-state stuff is still there, bot in the inner-tunnel and in post-auth section of the outer server.
> Send tests to the outer virtual server, not the inner.
> Then it will work.

Well, I feel a bit stupid now, I kept testing the inner-tunnel and I never tested the outer one because I got stuck on this.
Thanks for pointing me in the right direction.
It works as expected now.

Do you believe that a wiki page about this kind of configuration may help? I’ve spent a couple of days reading documentation and comments on the mailing list in order to figure out the correct way to set this up.
I’d be happy to put that together with all the infos I gathered and submit it to you for a check before publishing to the community.

More information about the Freeradius-Users mailing list