Hi,
After uncommenting that in inner-tunnel, I see local users authenticated by the LOCAL auth called outer.reply. But this is not the case for external users(Realm handled by external proxy).
The latter is what I really want: being able to see which external user is authenticating.
The whole concept of inner tunneling and protecting it via TLS is *because* you are *not* supposed to see the actual authentication credentials. For your local users, you terminate the tunnel yourself and can decide to expose the information by uncommenting the above, but for non-local users it is supposed to not work.
As we are not doing Accounting, isn't it possible to move the outer.reply higher up in the stack? Or it shouldn't matter?
Outer anonymous identities preserve privacy of the (remote) user authenticating. If you want to change that, you need a business agreement with the remote party to disclose their user information to you. Taking a peek at your mail domain name: if you are about to set up eduroam - there is no automated disclosure of the inner identity in eduroam. There is a process to ask the identity provider (IdP) retroactively *if and when* the user has done something wrong and needs to be traced. But there is no proactive information disclosure - or better put, it's in the discretion of the IdP to tell the rest of the world who his user is; unsurprisingly most IdPs opt not to do so, if for no other reason than to evade privacy and data protection laws. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473