Copy inner to outer identity via session-state

Samuel LEFOL samuel.lefol at univ-lorraine.fr
Wed Feb 11 19:26:01 UTC 2026 

Hello,

I've configured a FreeRADIUS 3.2.7 system to run PEAP/MSCHAPv2.

I would like to have Inner-Identity and Outer-Identity displayed in the 
logs.

- in mods-enabled/eap, I have:
tls-config tls-common {
   ...
   cache {
     enable=yes
     lifetime = 24
     name = "EAP-EDU module"
     persist_dir = "${db_dir}/tlscache"
   }
}
peap {
   ...
   copy_request_to_tunnel = no
}

- in sites-enabled/inner-tunnel, I put:
post-auth {
   update outer.session-state {
     Tmp-String-0 := &User-Name
   }
   ...
}

or this alternative configuration :
post-auth {
   if (1) {
     update reply {
       Tmp-String-0 := &User-Name
     }
     update {
       &outer.session-state: += &reply:
     }
   }
   ...
}

as it says in the comments of the mods-enabled/eap file "If you need to 
send a reply attribute in the outer session, the ONLY safe way is to set 
"use_tunneled_reply = yes", and then update the inner-tunnel reply."


- in sites-enabled/default
post-auth {
   inner_outer
}

with inner_outer defined in mods-enabled/linelog file :
linelog inner_outer {
     destination = files
     filename = ${logdir}/inner_outer.log
     format = "Packet-Type=%{%{reply:Packet-Type}:-default} 
Outer-User=%{User-Name} 
Inner-User=%{%{session-state:Tmp-String-0}:-unknown}"
}


The problem is that sometimes I get Packet-Type=Access-Accept 
Outer-User=anonymous at xxxx.fr Inner-User=unknown
I don't understand why.


Is it true that the session state may not be restored correctly to the 
last outer packet in certain cases such as:
- TLS session resumption
- specific fragmentation
- specific timing
- Windows fast reconnect

Is this an architectural limitation in version 3.x?


The only truly reliable method I've found is to log the inner identity 
in `inner-tunnel` and the outer identity in `default`, and to correlate 
via Calling-Station-Id + Event-Timestamp
Is this the only method ?


If possible, I would also like to be able to construct 
`reply.User-Name=sam at toto.fr` from `request.User-Name=anonymous at toto.fr` 
+ `inner.User-Name=sam`

Could you please help me?


Best regards,
-- 
Samuel

More information about the Freeradius-Users mailing list