reauth-problem with WPA2-tls

Alexander Clouter alex at digriz.org.uk
Thu Jun 3 16:17:50 CEST 2010


Bjørn Mork <bjorn at mork.no> wrote:
>
>> The 'No information to cache' means you do not have anything useful 
>> (for example 'User-Name') in the reply packet.
> 
> Makes sense.
> 
>> In the post-auth of my inner-eap virtual server I have added:
>> ----
>> post-auth {
>>   ...
>>   # needed for TTLS cache
>>   update reply {
>>     User-Name := "%{request:User-Name}"
>>   }
>>   ...
>> }
>> ----
>>
>> That should fix your problem.
> 
> Thanks.   Looks like something for the default config/documentation with
> that comment included.
> 
To make things more interesting, depending on you situation[1] you might 
want to then strip the User-Name attribute from your reply traffic on 
the outer layer.

We do this as in the 'eduroam' world when our lusers are roaming away 
from their home institution we want to protect the guilty and give them 
some degree of anonymity.  This means the remote organisation the user 
is visiting only sees the username in the initial request packet...which 
for TTLS *should* be '@example.com' and *not* 'luser at example.com'.

Of course when our users are onsite we pass on the User-Name in the 
Access-Accept so that the accounting packets from the NAS have the inner 
username present making grepping/SELECTing your accounting logs that 
much easier.

Cheers

-- 
Alexander Clouter
.sigmonster says: You are so boring that when I see you my feet go to sleep.




More information about the Freeradius-Users mailing list