Inner Tunnel User-Name
Christoph Egger
christoph_egger at gmx.de
Wed May 7 08:23:08 UTC 2025
Am 06.05.25 um 12:33 schrieb Alan DeKok:
> On May 6, 2025, at 1:20 AM, Christoph Egger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Thanks. In the output of freeradius -X I see in the inner-tunnel authorize the inner-tunnel Username is assigned to the outer-tunnel.
>
> That's good.
>
>>> Then in the default virtual server, you access &control:User-Name.
>>
>> There I still get the original outer-tunnel Username. Is it reset somewhere between inner-tunnel authorize and default post-auth ?
>
> Are you looking in the *control* list?
>
That is how I do the VLAN assignment in default post-auth:
if (LDAP-Group == "MyGroup") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "%{%{ldap:ldap:///ou=groups,dc=ldap,dc=example,dc=com?Tunnel-Private-Group-Id?one?(&(cn=MyGroup)(member=*%{User-Name}*))}:-20}"
}
}
It works when outer-tunnel username matches the inner tunnel username.
>>> Then in the default virtual server, you access &control:User-Name.
On your advice I changed %{User-Name} to %{&control:User-Name}:
if (LDAP-Group == "MyGroup") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "%{%{ldap:ldap:///ou=groups,dc=ldap,dc=example,dc=com?Tunnel-Private-Group-Id?one?(&(cn=MyGroup)(member=*%{&control:User-Name}*))}:-20}"
}
}
> As always, post the debug output.
>
EXPAND (&(objectClass=posixAccount)(cn=%{User-Name}))
--> (&(objectClass=posixAccount)(cn=thatsme))
Performing search in "ou=users,dc=ldap,dc=example,dc=com" with filter "(&(objectClass=posixAccount)(cn=thatsme))", scope "sub"
Waiting for search result...
Search returned no results
Oh, freeradius did not reload the default file on restart ... Is there some caching?
"thatsme" is the outer-tunnel Username which does not exist in the LDAP-Database.
Regards,
Christoph
More information about the Freeradius-Users
mailing list