use_tunneled_reply

ragan_davis at colstate.edu ragan_davis at colstate.edu
Sat Jun 18 04:23:06 CEST 2005 

Thanks for the reply.  The supplicant indeed sends "anonymous" as 
outer, but also sends "novelluser" as inner.  So, I think I understand 
that the AP/NAS can't see the inner as the request is on it's way to 
the radius....so at that point, all it knows is "anonymous".  However, 
according to the comment in eap.conf (v1.0.2):

"The reply attributes sent to the NAS are usually based on the name of 
the user 'outside' of the tunnel (usually 'anonymous').  If you want 
to send the reply attributes based on the user name inside of the 
tunnel, then set this configuration entry to 'yes', and the reply to 
the NAS will be taken from the reply to the tunneled request."

This leads a dunce like me to believe that radius will send a reply 
back to AP/NAS that has User-Name equaling "novelluser", rather 
than "anonymous".

I looked in the debug output (radiusd -A -X, right?).  I think this is 
what I am supposed to look for:

Sending Access-Accept of id 247 to 192.168.3.2:1024
        MS-MPPE-Recv-Key = 
0x17c9701998d6ad7ee94b37819449c3cb0ebd9804c5de36c141a1509816dc6d71
        MS-MPPE-Send-Key = 
0xff1226efbfd249e76d3a502c43cc2ca5a95a5a38e9bd0829ca6ba34fe089696a
        EAP-Message = 0x03040004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "anonymous"

Before seeing this, my suspicion was that the NAS might somehow be 
ignoring the new value for User-Name, but it seems it's receiving 
exactly what radius is sending it.  I thought the 
magical "use_tunneled_reply" setting was supposed to fix this?  Am I 
understanding what "use_tunneled_reply" is actually supposed to do?

Thanks for the patience and the advice.

later,
mack


----- Original Message -----
From: Alan DeKok <aland at ox.org>
Date: Friday, June 17, 2005 1:23 pm
Subject: Re: use_tunneled_reply

> ragan_davis at colstate.edu wrote:
> > Using FreeRADIUS 1.0.2, Cisco/Airespace 4100 WLAN switch as NAS, 
> and 
> > Odyssey Client v4.01 as supplicant.  Kept seeing the user 
> > as "anonymous" in the WCS management software for the client. 
> 
>  Because that's what the supplicant sends.
> 
> >  So, in eap.conf I changed use_tunneled_reply to equal yes.  Still,
> > replies to NAS show User-Name = "anonymous".  Have I missed
> > something?
> 
>  Run the server in debugging mode to see what's going on.
> 
>  Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list