How to reply inner attribute to external system

Post author: Sam Chen
Post link: <a href="https://silent198214.github.io/freeradius/inner-rely-attribute-to-outer/" title="How to reply inner attribute to external system">https://silent198214.github.io/freeradius/inner-rely-attribute-to-outer/
Copyright Notice: All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC8="> BY-NC-SA unless stating additionally.

Posted on 2025-04-06 In freeradius

當我們在 inner tunnel 進行帳號認證後，想要傳送例如 Filter-ID 這個 attribute 給 wireless controller 做 role mapping，會發現 controller 怎麼樣都接收不到這個 attribute 的資訊。

tunnel 保護機制

其原因在於 inner/outer tunnel 的保護機制，預設在 inner tunnel 裡面的資訊是不會揭露給 outer tunnel 知道，controller 驗證過程只會知道 outer tunnel 的訊息，所以自然就會看不見 inner tunnel 想要回傳 Filter-ID 這個 attribute 資訊。

將 inner reply attribute 複製出來

想要將 Filter-ID 能夠透過 reply 機制轉送給 controller，需要調整下面的設定參數，將 if (0) 改成 if (1)

/etc/raddb/site-available/inner-tunnel

#
#  Instead of "use_tunneled_reply", change this "if (0)" to an
#  "if (1)".
#
#if (0) {
if (1) {
    #
    #  These attributes are for the inner-tunnel only,
    #  and MUST NOT be copied to the outer reply.
    #
    update reply {
        User-Name !* ANY
        Message-Authenticator !* ANY
        EAP-Message !* ANY
        Proxy-State !* ANY
        MS-MPPE-Encryption-Types !* ANY
        MS-MPPE-Encryption-Policy !* ANY
        MS-MPPE-Send-Key !* ANY
        MS-MPPE-Recv-Key !* ANY
    }

    #
    #  Copy the inner reply attributes to the outer
    #  session-state list.  The post-auth policy will take
    #  care of copying the outer session-state list to the
    #  outer reply.
    #
    update {
        &outer.session-state: += &reply:
    }
}

關鍵在第 28 行的 update，會將 reply 有關的 attribute 複製到 outer tunnel，這樣就能讓 controller 可以正確地接收到。