<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div>Trying to find a configuration that allow accurate accounting when <span class="">PEAP</span> / TTLS having anonymous outer user-id.<br><br></div>Using FR 2.2.3 with default configuration.<br>
</div>- add a testing user<br></div>- enable eap.conf use_tunneled_reply for both <span class="">PEAP</span> & TTLS<br><br></div>Observed that,<br></div>- <span class="">PEAP</span> sent inner user-id in the Access-Accept<br>
</div>- TTLS-PAP sent outer user-id in the Access-Accept instead. (debug output attached)<br>
<br></div>Additionally enable 'update outer.reply' in post-auth section for the inner-tunnel virtual server.<br><br></div>Observed that,<br></div>- <span class="">PEAP</span> failed due to identity mismatch. (debug output attached)<br>
</div>- TTLS-PAP sent inner user-id in the Access-Accept.<br><br></div>Seem like both use_tunneled_reply option and update outer.reply in post-auth section have inconsistent behavior.<br><div class="gmail_extra"><br></div>
<div class="gmail_extra">What would be the correct configuration to allow accurate accounting?<br><br></div>Thanks.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Feb 15, 2014 at 11:43 PM, douglas eseng <span dir="ltr"><<a href="mailto:douglas.eseng@gmail.com" target="_blank">douglas.eseng@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div>Trying to find a configuration that allow accurate accounting when PEAP / TTLS having anonymous outer user-id.<br>
<br></div>Using FR 2.2.3 with default configuration.<br>
</div>- add a testing user<br></div>- enable eap.conf use_tunneled_reply for both PEAP & TTLS<br><br></div>Observed that,<br></div>- PEAP sent inner user-id in the Access-Accept<br></div>- TTLS-PAP sent outer user-id in the Access-Accept instead. (debug output attached)<br>
<br></div>Additionally enable 'update outer.reply' in post-auth section for the inner-tunnel virtual server.<br><br></div>Observed that,<br></div>- PEAP failed due to identity mismatch. (debug output attached)<br>
</div>- TTLS-PAP sent inner user-id in the Access-Accept.<br><br></div>Seem like both use_tunneled_reply option and update outer.reply in post-auth section have inconsistent behavior.<br><div class="gmail_extra"><br></div>
<div class="gmail_extra">What would be the correct configuration to allow accurate accounting?<br><br></div><div class="gmail_extra">Thanks.<br></div></div>
</blockquote></div><br></div>