On Fri, Jun 15, 2012 at 11:48:56AM +0200, Alberto MartÃnez wrote:
However, we would want our NAS to see the inner true User-Name, not the outer one. I know this can be set in the inner-tunnel post-auth section uncommenting the update outer.reply lines, but that exposes our users' inner User-Name to proxied-to-us authentications.
So my question is: Which attributes should I check to tell apart local and external auths?
In some way, that depends on what attributes you have available in the requests to check. Packet-Src-Ip-Address is one way. Or set huntgroups for your own NASes (NAS-IP-Address, etc), then just check for membership of the huntgroup. Just rememeber Packet-Src-Ip-Address can't easily be spoofed, whereas attributed in the incoming packet can be. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>