d.thembiliyag...@lancaster.ac.uk wrote:
> I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius
> server.How can I get the tunnelled User-Name (User-Name used in inner
> authentication phase) using unlang in FreeRADIUS server? Now I can only
> get the User-Name used for the outer authentication (ex: anonymous).
PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a 
double-inner in play.  The best suggestion I have (after years of 
tweaking it to be just right) is in your inner authorize use:
authorize {
  update outer.request {
    User-Name := "%{request:User-Name}"
  update reply {
    User-Name := "%{request:User-Name}"


  update reply {
    Auth-Type := "%{control:Auth-Type}"

On the outer layer, you then use 
'%{%{reply:User-Name}:-%{request:User-Name}}' to get the username.  This 
means you get the inner username for:
 * PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications
 * when your inner server rejects the request (ie. bad password) (this 
        is why you stuff the inner username into outer.request
 * TTLS/PEAP has the option of TLS cached sessions which is *good*, 
        doing things this way means you still get the inner name for 
        resumed sessions

As a bonus, the Auth-Type is extractable..if you use TLS cached 
sessions, then this will be EAP.


Alexander Clouter
.sigmonster says: It was Penguin lust... at its ugliest.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to