EAP Outer and Inner Tunnel Behaviour Discussion

tnt at kalik.net tnt at kalik.net
Mon Apr 6 13:54:09 CEST 2009


>We are going to proxy EAP to another site with all freeradius (we are using
>2.1.4, another site using 1.x), but there are some interest problems
>occurred, details are as follows:
>
>Our site only accept non @domain format for inner EAP tunnel
>authentication since user DB only store user name without suffix, (as I
>previous post, replier said that cannot change the EAP user name by terminal
>home server even using unlang or strip on proxy.conf, so I give up to
>chanage the inner EAP user name in our terminal home radius). 
>
>But the administrator of another site which connect with us said that their
>user name store in file/DB also non suffix but can using @domain to pass
>the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how
>and why, but after testing, I can using anonymous at aaa.net as user name of
>outer EAP tunnel and user1 at aaa.net as user name of inner EAP tunnel to pass
>the authentication,

That's fine.

>and then I try to remove the suffix from inner EAP user
>name or change the outer user name in client EAP supplicant

And why would you want to do a thing like that? Just leave it alone.

>(in our site
>change outer user name is accept, you can use any outer user name since
>proxy server only care suffix) , it get fail, so do you think that how about
>the user name actually store in another site DB, is it without suffix or
>with it? But if it is all without suffix, why I cannot login with non suffix
>user name of inner EAP tunnel? 

Why do you care what is stored on their database? It's none of your
concern. You just proxy unaltered usernames to them.

>
>And how can remove the suffix in inner EAP tunnel while authentication? 

By using suffix module in freeradius (enabled by default). You just
configure aaa.net as a local realm in proxy.conf.

>Or all account have suffix in another site DB.

That is also possible.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list