Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel

Alan DeKok aland at
Wed Aug 10 13:51:57 UTC 2022

On Aug 10, 2022, at 9:06 AM, Chris Griffin <cgriffin352 at> wrote:
> I am currently migrating some Freeradius 2 based services over to
> Freeradius 3 (3.2.0), and I am having an issue with post-auth executing in
> the inner-tunnel.  In Freeradius 2, I have some post-auth logic that runs
> fine, but it seems that the post-auth section does not run in Freeradius
> 3.

  It should run if you have the "post-auth" section in the inner-tunnel virtual server.  See

  and a few lines later where it calls rad_postauth()

>  I have gone through the documentation and posts to the listserv and
> haven't found any clues as to why.  In my particular case, I am using the
> proxy-inner-tunnel configuration and adding a post-auth section, but in
> other tests, it doesn't seem that post-auth runs when I try to use the
> "inner-tunnel" config, which already has a post-auth section.  Just to make
> things simple to debug, I was able to build a very simple test case which
> shows the problem:
> Steps to re-create:
> build 3.2.0
> delete link to inner-tunnel and link to proxy-inner-tunnel.  edit eap to
> point to proxy-inner-tunnel as virtual server
> add section post-auth and put:
> update outer.session-state {
>      User-Name := &User-Name
> }
> just as a test action to look for.
> add config to proxy.conf to allow for proxying the inner tunnel to another
> radius server.
> Resulting logs when testing with eapol_test:

  It should also print out something like this for the "inner-tunnel" virtual server.   That way you know it's been loaded and parsed.

server inner-tunnel { # from file ./raddb/sites-enabled/inner-tunnel
 # Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}

  If it doesn't say "Loading post-auth" for the proxy-inner-tunnel virtual server, then that's the problem.  You've put the post-auth section somewhere where the server can't see it (or ignores it).

  If it is there, then I'm a little surprised it doesn't work.  We'll have to look at that in more detail.

  Alan DeKok.

More information about the Freeradius-Users mailing list