Question / Copy inner to outer identity
Alan DeKok
alan.dekok at inkbridge.io
Tue Nov 4 13:22:46 UTC 2025
On Nov 4, 2025, at 3:54 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
>
> I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/093770.html
>
> And there are also examples in the FreeRADIUS inner-proxy configuration file:
Do not post the configuration files to the list. We know what's in them. We don't need to see them posted to the list.
> We use PEAP/MS-CHAPv2 on our eduroam SSID.
>
> Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous at unibe.ch accounts, this will be used for further processing in a cloud service.
>
> But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this.
Reading the debug output, the inner-tunnel virtual server is being run. But the lnner-tunnel "Post-Auth-Type" isn't being run.
> But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)?
Just copy it in another section in the inner-tunnel.
if (!&outer.config:User-Name) {
update {
&outer.config:User-Name := &User-Name
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list