Inner Tunnel User-Name

Tue May 6 05:20:54 UTC 2025

Am 05.05.25 um 17:03 schrieb Alan DeKok:
> On May 5, 2025, at 10:32 AM, Christoph Egger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> I have configured EAP-TTLS+PAP using sites-enabled/proxy-inner-tunnel.
>> After I get the Access-Accept message, I do dynamic VLAN assignment in sites-enabled/default in the post-auth section.
> 
>    OK, that's good.
> 
>> The one thing is: the dynamic VLAN assignment uses the outer User-Name. It works if the outer-tunnel matches the inner-tunnel username.
>> I want to do the dynamic VLAN assignment using the Inner-Tunnel User-Name.
>>
>> Where can I access the inner-tunnel %{request.User-Name} with ulang after the Access-Accept message ?
> 
>    You update the inner-tunnel virtual server, and copy the User-Name to the outer request.  Perhaps in the "control" list, so that it doesn't affect anything else:
> 
> 
> 	update outer.control {
> 		&User-Name := &User-Name
> 	}

Thanks. In the output of freeradius -X I see in the inner-tunnel authorize the inner-tunnel Username is assigned to the outer-tunnel.

>    Then in the default virtual server, you access &control:User-Name.

There I still get the original outer-tunnel Username. Is it reset somewhere between inner-tunnel authorize and default post-auth ?

>    The underlying issue is that the inner request is finished (and gone) after it returns an Access-Accept.  So you can't access it, because it's gone.  You have to manually save any information that you need.

Ah, I was unaware of that. I spent hours trying to do the impossible...
Thank you for pointing this out.

Christoph