tnt-4 wrote:
We are going to proxy EAP to another site with all freeradius (we are
using
2.1.4, another site using 1.x), but there are some interest problems occurred, details are as follows:
Our site only accept non @domain format for inner EAP tunnel authentication since user DB only store user name without suffix, (as I previous post, replier said that cannot change the EAP user name by terminal home server even using unlang or strip on proxy.conf, so I give up to chanage the inner EAP user name in our terminal home radius).
But the administrator of another site which connect with us said that their user name store in file/DB also non suffix but can using @domain to pass the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how and why, but after testing, I can using anonymous@aaa.net as user name of outer EAP tunnel and user1@aaa.net as user name of inner EAP tunnel to pass the authentication,
That's fine.
and then I try to remove the suffix from inner EAP user name or change the outer user name in client EAP supplicant
And why would you want to do a thing like that? Just leave it alone.
No, I just want to let our user using an anonymous account as the outer user name for authentication to improve the security, and using the true account for inner tunnel.
(in our site change outer user name is accept, you can use any outer user name since proxy server only care suffix) , it get fail, so do you think that how about the user name actually store in another site DB, is it without suffix or with it? But if it is all without suffix, why I cannot login with non suffix user name of inner EAP tunnel?
Why do you care what is stored on their database? It's none of your concern. You just proxy unaltered usernames to them. Because the administrator said that their user name all without suffix, so I want to setup a similar home radius to do the authentication without suffix user name (testing 3 show as below). but I got fail since if all accounts stored in file/DB without suffix just like user1, I can not pass the authentication with user1@aaa.net in inner tunnel because I don't know (or it is impossible) how to remove the suffix before do the authentication. I guess may be they also stored with suffix user name in their DB/File
And how can remove the suffix in inner EAP tunnel while authentication?
By using suffix module in freeradius (enabled by default). You just configure aaa.net as a local realm in proxy.conf. You means that add a realm in proxy.conf of PROXY server OR in home terminal radius server? as following configuration, it seems should be apply on home radius server, right? realm aaa.net { auth_pool = localhost # nostrip (enable or not?) } The following is the result by my testing for outer tunnel and inner tunnel authentication with my proxy and home radius server, I'm using SecureW2_EAP_Suite_113 with PEAP/MSChapV2: (1) user name which stored in home radius file: user2@aaa.net outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2@aaa.net result: passed (2) user name which stored in home radius file: user2@aaa.net outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2 result: failed (3) user name which stored in home radius file: user2 outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2@aaa.net result: failed (4) user name which stored in home radius file: user2 outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2 result: passed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/EAP-Outer-and-Inner-Tunnel-Behaviour-Discussion-tp2290... Sent from the FreeRadius - User mailing list archive at Nabble.com.