Mike Diggins wrote:
A "normal" authentications look like this: Jan 31 17:43:08 rad01 radiusd[702]: Login OK: [justme] (from client wlc-6 port 0 via TLS tunnel) Jan 31 17:43:08 rad01 radiusd[702]: Login OK: [justme] (from client wlc-6 port 13 cli xx-xx-xx-xx-xx-xx)
So these odd looking ones are missing the "TLS tunnel" line and apparently that is the inner tunnel - the one sent to AD for authentication, correct?
Yes. The two lines above are the same user, inner + outer tunnel.
If the outer identity name is not valid then why does FR log "Login OK"
Because the inner tunnel authenticated the user. The name in the outer tunnel is informative. It's not really used without the other.
and under what situation would I see one without the other?
You won't. Where the user is authenticated via PEAP, you should ALWAYS see two "Login OK" lines. However, the names may be different.
Is it possible to set the inner/outer identity to be different just using a regular client OS?
Yes. Alan DeKok.