Force Inner=Outer identity
Hi All Using EAP-TTLS PAP with FR authenticated against LDAP. In looking at our monitoring software, it displays the user's outer identity. Problem is, a user can specify any userID as it's outer Identity and as long as it's a valid outer Identity, that's what shows up in our monitoring software. Makes user tracking quite difficult. Is there any way to force a users's outer identity to equal their inner identity? Thanks Matt Ashfield mda@unb.ca
Hi All I doubt my original post was doable, , it probably doesn't make sense to ask FR to be able to force Inner=Outer identity. In that case, would it be possible to perform authorization based on the Inner identity instead of the Outer identity? Matt mda@unb.ca -----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of Matt Ashfield Sent: May 2, 2007 11:29 AM To: 'FreeRadius users mailing list' Subject: Force Inner=Outer identity Hi All Using EAP-TTLS PAP with FR authenticated against LDAP. In looking at our monitoring software, it displays the user's outer identity. Problem is, a user can specify any userID as it's outer Identity and as long as it's a valid outer Identity, that's what shows up in our monitoring software. Makes user tracking quite difficult. Is there any way to force a users's outer identity to equal their inner identity? Thanks Matt Ashfield mda@unb.ca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matt Ashfield wrote:
Hi All I doubt my original post was doable, , it probably doesn't make sense to ask FR to be able to force Inner=Outer identity.
In that case, would it be possible to perform authorization based on the Inner identity instead of the Outer identity?
Sure. See the "copy_request_to_tunnel" (which you may need) and "use_tunneled_reply" (which you will need) config option on the particular EAP type you're using, and put something like this into play: DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type = "INNER" ...then in authorize: authorize { preprocess files Autz-Type INNER { sql/ldap/files_2/whatever adds the vlan tag } }
participants (2)
-
Matt Ashfield -
Phil Mayers