Difference between local and external in inner-tunnel
Matthew Newton
mcn4 at leicester.ac.uk
Fri Jun 15 12:03:50 CEST 2012
On Fri, Jun 15, 2012 at 11:48:56AM +0200, Alberto Martínez wrote:
> However, we would want our NAS to see the inner true User-Name, not the
> outer one. I know this can be set in the inner-tunnel post-auth section
> uncommenting the update outer.reply lines, but that exposes our users'
> inner User-Name to proxied-to-us authentications.
>
> So my question is: Which attributes should I check to tell apart local and
> external auths?
In some way, that depends on what attributes you have available in
the requests to check.
Packet-Src-Ip-Address is one way. Or set huntgroups for your own
NASes (NAS-IP-Address, etc), then just check for membership of the
huntgroup.
Just rememeber Packet-Src-Ip-Address can't easily be spoofed,
whereas attributed in the incoming packet can be.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list