On 13/11/13 16:43, Rui Ribeiro wrote:
Dear all,
We have are switching to Meru here, using a FreeRadius 2.12 Debian stock with EDUROAM/EAP-TTLS-MSCHAPv2 + AD authentication, just for the sake of completeness.
Do you mean TTLS/MSCHAP here, or TTLS/EAP-MSCHAPv2? They're different, and in particular since the latter is an EAP inner, it sends a reply User-Name, whereas the former does not, and it gets left to the EAP outer.
What happens is that whilst with our Cisco Controller, the username in the SQL User Accounting is the same as the one in authentication, when dealing with the Meru Controllers, the user in Accounting has no realm/domain unless I copy expressly the User-Name from the inner-tunnel to the outer-tunnel.
The "User-Name" in accounting packets should be: 1. The User-Name from the Access-Accept packet, if set 2. The User-Name from the Access-Request packet, otherwise Look at a debug to see what you're sending in Access-Accept - check you're actually sending the same thing to both devices. Personally I *always* set reply:User-Name myself in post-auth{} blocks, and I *always* qualify it with a realm, even if the user didn't send one. I prefer the explicit approach.