Jason Fenner wrote:
However, when I test PEAP using eapol_test authentication also works fine, but the ldap group checking occurs only on the outer-tunnel username. In this case, the outer tunnel is created using the username "anonymous". This user doesn't exist in AD, so a failure is the response.
In inner-tunnel post-auth I have this snippet:
update outer.reply { User-Name = "%{request:User-Name}" }
And go read the LDAP configuration. Is it look for %{User-Name}, or %{reply:User-Name} ?
My understanding was that this should copy the real username from the inner tunnel to the outer tunnel.
To the *reply* list. That's what you said. You've read enough of the documentation to explicitly reference the "request" list above, so you know it's different from the "reply" or "outer.reply" list. Now go apply that knowledge further.
This should then allow ldap groupcheck to test the correct username.
No.
I never see a ldap check on the inner tunnel at all.
Because you didn't configure "ldap" in the raddb/sites-available/inner-tunnel virtual server. This is documented.
I see this strange output in debug in relation to the snipet above: .. I would think that outer.reply should return ok or something other then noop.
No. It returns "noop" for some esoteric reasons. But that's a distraction, and not the source of the real problem. Alan DeKok.