I set in copy_tunnel_reply to yes and I use the inner-tunnel user-name in my default / post-auth. And I still have the real user-name hidden. In default / post-auth : update reply{ User-Name := "%{request:User-Name}" Tunnel-Medium-Type = 6 Tunnel-Type = 13 Tunnel-Private-Group-Id = `/usr/local/etc/raddb/getVlan %{reply:User-Name}` } It will now work nicely with your fix. Thanks 2009/6/2 Alan DeKok <aland@deployingradius.com>:
A.L.M.Buxey@lboro.ac.uk wrote:
does this fix mean that TTLS and PEAP get the inner identity copied correctly so there is no more need for
update outer.reply { User-Name = "%{User-Name}" }
That's still needed. The question is what do you want the server to do. Always over-ride the outer name with the inner one? If so, why is the outer one "anonymous", and the inner one "user@realm"?
i.e. "anonymous" is being used to hide the inner name... which promptly gets exposed with that rule. Is this a good idea?
What else could be done to be secure, but also useful?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html