Question / Copy inner to outer identity
Dominic Stalder
dominic.stalder at bluewin.ch
Fri Nov 7 14:03:46 UTC 2025
OK, let’s try again.
Goal: copy the inner identity to the outer session state and then add this inner identity to the Access-Accept message as username.
What I did:
1. added the save of (a) inner identiy into the session-state namespace in the authorize{} section in proxy-inner-tunnel:
/etc/sites-enabled/proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
if (&User-Name) {
update {
&outer.session-state:locInner-User-Name := „user at example.com"
}
}
update control {
&Proxy-To-Realm := REALM-NPS-DEV
}
}
}
---
2. Tried to read the session-state namespace attribute and add it to the Access-Accept / reply message in different sections in default:
/etc/sites-enabled/default:
server default {
post-auth {
debug_all
if (&session-state:locInner-User-Name) {
update reply {
User-Name := "%{session-state:locInner-User-Name}“
}
}
update {
&reply: += &session-state
}
}
post-proxy {
if (&session-state:locInner-User-Name) {
update reply {
User-Name := "%{session-state:locInner-User-Name}"
}
}
attr_filter.post-proxy
eap
}
}
Does this help to clarify my intention and what I tried?
Regards
> Am 07.11.2025 um 14:49 schrieb Alan DeKok via Freeradius-Users <freeradius-users at lists.freeradius.org>:
>
> On Nov 7, 2025, at 8:10 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
>> I think I was on track with getting it running based on your recommendation, but I think this „defect“ here is playing against our setup:
>>
>> https://github.com/FreeRADIUS/freeradius-server/issues/5288
>>
>> https://lists.freeradius.org/pipermail/freeradius-users/2024-December/105157.html
>
> Maybe?
>
>> I know you wrote this back then:
>>> For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down.
>> But I am not able to completely change our setup in a short amount of time. Is there any other workaround for this specific problem?
>
> I really don't know. You've been (again) careful to not describe what you did.
>
> Presumably you edited the configuration files somehow.
>
> I gave explicit instructions on what to do,. That should work, and that should not be affected by the bug report.
>
> But again, you've been careful to hide as much information as possible.
>
> You need to post clear and descriptive messages. You're not doing that. Learn how to ask good questions. Until you do that, it's essentially impossible to help you.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list