PEAP-MSCHAPv2 and anonymous outer identity - can't understand passing inner username to outer tunnel

[Alan DeKok]

On May 3, 2022, at 6:52 PM, Samuel Walker-Kierluk via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I’ve got FreeRADIUS handling our “eduroam” needs at my university.  Users from outside our realms are proxied to the national eduroam proxies, and users matching our realms are handled locally:
> -Authentication: PEAP-MSCHAPv2 authentication (using ntlm_auth) against our Active Directory domain controllers
> -Post-Auth in outer server file: for users of our own realm and on our own campus’s network, I use a few “if” statements (one based on a username pattern, another based on an LDAP-Group lookup of Stripped-User-Name) to send the VLAN ID to the access point.

  That's good.

> This works wonderfully when using the same inner and outer identity, but after I set up anonymous outer identities on my clients, the VLAN ID assignment in the post-auth section doesn’t work properly, as it uses the outer identity “anonymous” instead of the username from the inner tunnel.

  So move the checks to the inner-tunnel.

  The only magic is you should then add the VLAN attributes to the outer.session-state list.    The "post-auth" section will automatically add them to the outer reply.  See the "post-auth" section of the inner-tunnel virtual server, and the post-auth section of the default virtual server.

	#
	#  For EAP-TTLS and PEAP, add the cached attributes to the reply.
	#  The "session-state" attributes are automatically cached when
	#  an Access-Challenge is sent, and automatically retrieved
	#  when an Access-Request is received.

  Alan DeKok.