no more anonymous at my.realm
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Aug 30 14:14:43 CEST 2006
hi,
got a small question for those used to xlate etc. I have a development/test setup
here which is happily authenticating via EAP/TTLS and PEAP. however, what
I am seeing is that Windows users using PEAP are having their real name logged
and recorded, whereas the Mac TTLS and Windows TTLS folk are being recorded
as anonymous at my.realm - ie the outer layer is being recorded as their username
(the inner layer username is happily being used for the authorization stage
so all is okay....but the NAS and authentication/accounting SQL are filled with
the anonymous at my.realm
now, the Windows PEAP users also have anonymous at my.realm as their outer ID but
I believe its the 'Windows is a bit leaky with inner credentials' issue that
is allowing their real ID to be caught and logged.
whats the recommended way of fixing this? what have other people done to fix this?
enabling features such as use_tunneled_reply and log_stripped_name havent
helped... I am thinking that xlate is the way to go
oh, and currently the RADPOSTAUTH table is showing the real ID and the anonymous ID
which isnt helping the NAS which receives the anonymous part last. do I simply drop
or discard the anonymous part when it gets to this proxy box?
alan
More information about the Freeradius-Users
mailing list