d.thembiliyag...@lancaster.ac.uk wrote: > > I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius > server.How can I get the tunnelled User-Name (User-Name used in inner > authentication phase) using unlang in FreeRADIUS server? Now I can only > get the User-Name used for the outer authentication (ex: anonymous). > PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a double-inner in play. The best suggestion I have (after years of tweaking it to be just right) is in your inner authorize use: ---- authorize { update outer.request { User-Name := "%{request:User-Name}" } update reply { User-Name := "%{request:User-Name}" }
[snipped] update reply { Auth-Type := "%{control:Auth-Type}" } } ---- On the outer layer, you then use '%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This means you get the inner username for: * PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications * when your inner server rejects the request (ie. bad password) (this is why you stuff the inner username into outer.request * TTLS/PEAP has the option of TLS cached sessions which is *good*, doing things this way means you still get the inner name for resumed sessions As a bonus, the Auth-Type is extractable..if you use TLS cached sessions, then this will be EAP. Cheers -- Alexander Clouter .sigmonster says: It was Penguin lust... at its ugliest. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html