Inner identity in accounting logs

Jonathan Gazeley jonathan.gazeley at bristol.ac.uk
Mon Feb 9 16:13:35 CET 2009


Arran Cudbard-Bell wrote:
>
> As far as i'm aware this has never worked, which is why I still return
> attributes from the inner tunnel and get it that way.
>
>
> eap {
>
> 	peap {
> 		use_tunneled_reply = yes
> 		virtual_server = "local.user.inner"
> 	}
> }
>
>
> server local.user.inner {
> 	post-auth {
> 		#
> 		#  Return inner identity to use in final accept
> 		#
> 		update reply {
> 			User-Name := "%{Stripped-User-Name}"
> 		}
> 	}
> }
>
>
>   
This is pretty much the config I had already. My eap.conf already 
specifies a virtual inner server. The only difference was that I had 
'use_tunneled_reply = no', so I changed that to 'yes'.

My inner virtual server, 'inner-tunnel' already had an 'update reply' 
block identical to yours.

But with this change I still get the outer identities in my accounting 
logs. Any ideas what's up?
> You can then apply your authorisation policy in post-auth where it
> should be already :P .
>   
The reason for authorising before we authenticate is because the 
database query for authorisation is much faster then the request to the 
AD controllers, and this saves unnecessary load on the AD controllers. I 
know it's not really best practice.

Many thanks,
Jonathan



More information about the Freeradius-Users mailing list