Hello, on radius 1.1.x I have some users autenticating using an outer identity. This is annoying to me because in the radius.log file I cannot identify easily who is the real user autenticating, since outer identity can be anything. How can I forbid in freeradius configuration to use an outer identity or anonymous ? I wish to forbid autentications which uses an outer identity. howto have control over it ? thank you Rick
Hello, on radius 1.1.x I have some users autenticating using an outer identity. This is annoying to me because in the radius.log file I cannot identify easily who is the real user autenticating, since outer identity can be anything. How can I forbid in freeradius configuration to use an outer identity or anonymous ? I wish to forbid autentications which uses an outer identity. howto have control over it ?
You can't stop them using anonimous outer identity. You should copy inner identity and send it in Access-Accept. Upgrade. It's easy in current version. Ivan Kalik Kalik Informatika ISP
Unfortunately I am bound to 1.1.7 version in my whole infrastructure how can I copy inner identity and send it to access-accept? Thanks Il giorno 25/mag/09, alle ore 18:52, "Ivan Kalik" <tnt@kalik.net> ha scritto:
Hello, on radius 1.1.x I have some users autenticating using an outer identity. This is annoying to me because in the radius.log file I cannot identify easily who is the real user autenticating, since outer identity can be anything. How can I forbid in freeradius configuration to use an outer identity or anonymous ? I wish to forbid autentications which uses an outer identity. howto have control over it ?
You can't stop them using anonimous outer identity. You should copy inner identity and send it in Access-Accept. Upgrade. It's easy in current version.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riccardo Veraldi wrote:
Unfortunately I am bound to 1.1.7 version in my whole infrastructure
That's sad. It means you can't take advantage of the many new features in 2.1.
how can I copy inner identity and send it to access-accept?
See "use_tunneled_reply" in eap.conf. Alan DeKok.
Alan DeKok wrote:
Riccardo Veraldi wrote:
Unfortunately I am bound to 1.1.7 version in my whole infrastructure
That's sad. It means you can't take advantage of the many new features in 2.1.
how can I copy inner identity and send it to access-accept?
See "use_tunneled_reply" in eap.conf.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes I have to plan an upgrade, but this has to be done in about 20 different sites, and freeradius 2.x is different in configuration files and everythign may not work out of the box upgrading from 1.1.x to 2.1, isn't it ? thank you Riccardo
Riccardo Veraldi wrote:
Yes I have to plan an upgrade, but this has to be done in about 20 different sites,
It takes time, but it shouldn't be hard.
and freeradius 2.x is different in configuration files and everythign may not work out of the box upgrading from 1.1.x to 2.1, isn't it ?
You CANNOT use the 1.1 configuration files in 2.1. However, they are *very* similar. It shouldn't take too long to do the conversion. Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ivan Kalik wrote:
Hello, on radius 1.1.x I have some users autenticating using an outer identity. This is annoying to me because in the radius.log file I cannot identify easily who is the real user autenticating, since outer identity can be anything. How can I forbid in freeradius configuration to use an outer identity or anonymous ? I wish to forbid autentications which uses an outer identity. howto have control over it ?
You can't stop them using anonimous outer identity. You should copy inner identity and send it in Access-Accept. Upgrade. It's easy in current version.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html In freeradius 2.* insert
if("%{outer.request:User-Name}" != "%{User-Name}){ reject } Into the inner server. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoa1ToACgkQcaklux5oVKK94ACfY733EzLC/6I1BEuUin7hI2wo uh4An1jq9oa9dNIJG4nnhikZXMaO1d+p =phr8 -----END PGP SIGNATURE-----
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Ivan Kalik -
Riccardo Veraldi