Re: EAP-TTLS outer identity & accounting
After alot of experimenting & researching, I still haven't found a solution to the TTL anonymous outer identity being used for accounting. I have set a DEFAULT entry that sets the User-Name attribute via ':=', but I still end up with two User-Name attributes (anonymous identity & real identity). This is especially strange, since use_tunneled_reply & copy_request_to_tunnel are both enabled as well. If I understand correctly, := should replace the anonymous (first) User-Name value with the real (second) value permitting they are in the same session. Upon looking back at the debug output, it looks like the tunneled request is actually handled as if it were a seperate request than the one containing it (request->eap module-(unpack)-
new request). This would explain why two User-Name attributes are showing up in the final response. Is there any way to discard the first (anonymous) entry via a module or other method without hacking FR code?
Surely someone has this working. My setup is just basic TTLS-PAP auth'ing against LDAP. P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated. We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box. -- Click for free info on criminal justice degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1S4xqOnm2zOGqjRJ3VXHodSBUi/
Sam Schultz wrote:
P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated. We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box.
I would recommend Cisco Aironet. Regards, Thor.
Sam Schultz wrote:
I have set a DEFAULT entry that sets the User-Name attribute via ':=', but I still end up with two User-Name attributes (anonymous identity & real identity). This is especially strange, since use_tunneled_reply & copy_request_to_tunnel are both enabled as well.
Then it may be a bug. My tests look like they work, so I'm not sure what the difference is with your configuration.
If I understand correctly, := should replace the anonymous (first) User-Name value with the real (second) value permitting they are in the same session. Upon looking back at the debug output, it looks like the tunneled request is actually handled as if it were a seperate request than the one containing it (request->eap module-(unpack)-
new request).
Yes.
This would explain why two User-Name attributes are showing up in the final response.
Not entirely. If you have use_tunneled_reply = yes, AND you're doing: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}` Then that name should be copied to the outer tunnel, AND the outer tunnel SHOULD NOT add the "anonymous" username in the reply, because it sees the User-Name copied from the tunnel. See src/modules/rlm_eap/*.c
P.S. A link to a list of known-good access points, or personal recommendations on access points would also be appreciated.
See the Wiki. If you have good experiences, add them to the Wiki.
We will be replacing a few 3com APs soon because they don't play well with...well...ANYTHING. One (3com OfficeConnect) doesn't even have options for radius account, even though it advertises the feature right on the box.
Return them as broken. Cisco AP350's seems to be pretty solid. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Sam Schultz -
Thor Spruyt