Trying to find a configuration that allow accurate accounting when PEAP / TTLS having anonymous outer user-id.

Using FR 2.2.3 with default configuration.
- add a testing user
- enable eap.conf use_tunneled_reply for both PEAP & TTLS

Observed that,
- PEAP sent inner user-id in the Access-Accept
- TTLS-PAP sent outer user-id in the Access-Accept instead. (debug output attached)

Additionally enable 'update outer.reply' in post-auth section for the inner-tunnel virtual server.

Observed that,
- PEAP failed due to identity mismatch. (debug output attached)
- TTLS-PAP sent inner user-id in the Access-Accept.

Seem like both use_tunneled_reply option and update outer.reply in post-auth section have inconsistent behavior.

What would be the correct configuration to allow accurate accounting?

Thanks.


On Sat, Feb 15, 2014 at 11:43 PM, douglas eseng <douglas.eseng@gmail.com> wrote:
Trying to find a configuration that allow accurate accounting when PEAP / TTLS having anonymous outer user-id.

Using FR 2.2.3 with default configuration.
- add a testing user
- enable eap.conf use_tunneled_reply for both PEAP & TTLS

Observed that,
- PEAP sent inner user-id in the Access-Accept
- TTLS-PAP sent outer user-id in the Access-Accept instead. (debug output attached)

Additionally enable 'update outer.reply' in post-auth section for the inner-tunnel virtual server.

Observed that,
- PEAP failed due to identity mismatch. (debug output attached)
- TTLS-PAP sent inner user-id in the Access-Accept.

Seem like both use_tunneled_reply option and update outer.reply in post-auth section have inconsistent behavior.

What would be the correct configuration to allow accurate accounting?

Thanks.