-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Gazeley wrote:
No - this is a completely standard FreeRADIUS configuration. Nothing relating to rewriting anything has been changed.
In the debug log posted in one of my earlier messages, it appears the FR server sends an Access-Challenge packet from the inner server using my statically set outer ID (testing-jg4461). But immediately after, it reverts to using the original outer ID (qwerty99). Then this username shows in accounting.
This doesn't happen when I set the outer ID in the outer server. In that case, the statically set outer ID sticks and appears in accounting.
What's the difference between using an identical piece of code in inner or outer servers?
As far as i'm aware this has never worked, which is why I still return attributes from the inner tunnel and get it that way. eap { peap { use_tunneled_reply = yes virtual_server = "local.user.inner" } } server local.user.inner { post-auth { # # Return inner identity to use in final accept # update reply { User-Name := "%{Stripped-User-Name}" } } } You can then apply your authorisation policy in post-auth where it should be already :P . Alan, If the last round of the EAP conversation didn't require data to be sent to the inner server the outer.User-Name attribute would just be discarded right? Or do you store those attributes in the same place you store the tunneled-reply ? Arran
Alan DeKok wrote:
Jonathan Gazeley wrote:
Sorry to 'bump' my previous post. I'm at a loss as to why FreeRADIUS expands the username as expected, but why this username never makes it back to the NAS. Does anyone have any ideas?
No idea... is there anything else that's over-writing the User-Name?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmIkB4ACgkQcaklux5oVKJgmgCfYkK6n1qbONnQcaxsETX7F4Gc mqkAniSb92gQtD8Drb9bQspKGRm44ttC =zEOg -----END PGP SIGNATURE-----