Question / Copy inner to outer identity

Dominic Stalder dominic.stalder at bluewin.ch
Tue Nov 4 13:34:09 UTC 2025 

Hi Alan

> Do not post the configuration files to the list.  We know what's in them.  We don't need to see them posted to the list.

Got it.

> Reading the debug output, the inner-tunnel virtual server is being run.  But the lnner-tunnel "Post-Auth-Type" isn't being run.

I really looked / searched for the corresponding part in the debug, I only found the virtual server proxy-inner-tunnel getting hit. Just for training / future purposes, could you please highlight the corresponding line in the debug output?

And I will try to put the corresponding configuration in another section in the inner-tunnel.

Regards
Dominic


> Am 04.11.2025 um 14:22 schrieb Alan DeKok via Freeradius-Users <freeradius-users at lists.freeradius.org>:
> 
> On Nov 4, 2025, at 3:54 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
>> 
>> I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/093770.html
>> 
>> And there are also examples in the FreeRADIUS inner-proxy configuration file:
> 
>  Do not post the configuration files to the list.  We know what's in them.  We don't need to see them posted to the list.
> 
>> We use PEAP/MS-CHAPv2 on our eduroam SSID.
>> 
>> Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous at unibe.ch accounts, this will be used for further processing in a cloud service.
>> 
>> But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this.
> 
>  Reading the debug output, the inner-tunnel virtual server is being run.  But the lnner-tunnel "Post-Auth-Type" isn't being run.
> 
>> But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)?
> 
>  Just copy it in another section in the inner-tunnel.
> 
> 	if (!&outer.config:User-Name) {
> 		update {
> 			&outer.config:User-Name := &User-Name
> 		}
> 	}
> 
>  Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list