Sam Schultz wrote:
I have set a DEFAULT entry that sets the User-Name attribute via ':=', but I still end up with two User-Name attributes (anonymous identity & real identity). This is especially strange, since use_tunneled_reply & copy_request_to_tunnel are both enabled as well.
Then it may be a bug. My tests look like they work, so I'm not sure what the difference is with your configuration.
If I understand correctly, := should replace the anonymous (first) User-Name value with the real (second) value permitting they are in the same session. Upon looking back at the debug output, it looks like the tunneled request is actually handled as if it were a seperate request than the one containing it (request->eap module-(unpack)-
new request).
Yes.
This would explain why two User-Name attributes are showing up in the final response.
Not entirely. If you have use_tunneled_reply = yes, AND you're doing: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}` Then that name should be copied to the outer tunnel, AND the outer tunnel SHOULD NOT add the "anonymous" username in the reply, because it sees the User-Name copied from the tunnel. See src/modules/rlm_eap/*.c
P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated.
See the Wiki. If you have good experiences, add them to the Wiki.
We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box.
Return them as broken. Cisco AP350's seems to be pretty solid. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog