Inner Tunnel User-Name

Alan DeKok aland at deployingradius.com
Mon May 5 15:03:22 UTC 2025


On May 5, 2025, at 10:32 AM, Christoph Egger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I have configured EAP-TTLS+PAP using sites-enabled/proxy-inner-tunnel.
> After I get the Access-Accept message, I do dynamic VLAN assignment in sites-enabled/default in the post-auth section.

  OK, that's good.

> The one thing is: the dynamic VLAN assignment uses the outer User-Name. It works if the outer-tunnel matches the inner-tunnel username.
> I want to do the dynamic VLAN assignment using the Inner-Tunnel User-Name.
> 
> Where can I access the inner-tunnel %{request.User-Name} with ulang after the Access-Accept message ?

  You update the inner-tunnel virtual server, and copy the User-Name to the outer request.  Perhaps in the "control" list, so that it doesn't affect anything else:


	update outer.control {
		&User-Name := &User-Name
	}

  Then in the default virtual server, you access &control:User-Name.

  The underlying issue is that the inner request is finished (and gone) after it returns an Access-Accept.  So you can't access it, because it's gone.  You have to manually save any information that you need.

  Alan DeKok.



More information about the Freeradius-Users mailing list