no more anonymous at my.realm

A.L.M.Buxey at A.L.M.Buxey at
Wed Aug 30 14:14:43 CEST 2006


got a small question for those used to xlate etc.  I have a development/test setup
here which is happily authenticating via EAP/TTLS and PEAP. however, what
I am seeing is that Windows users using PEAP are having their real name logged
and recorded, whereas the Mac TTLS and Windows TTLS folk are being recorded
as anonymous at my.realm - ie the outer layer is being recorded as their username
(the inner layer username is happily being used for the authorization stage
so all is okay....but the NAS and authentication/accounting SQL are filled with
the anonymous at my.realm

now, the Windows PEAP users also have anonymous at my.realm as their outer ID but
I believe its the 'Windows is a bit leaky with inner credentials' issue that
is allowing their real ID to be caught and logged. 

whats the recommended way of fixing this? what have other people done to fix this?
enabling features such as  use_tunneled_reply  and  log_stripped_name havent
helped... I am thinking that xlate is the way to go  

oh, and currently the RADPOSTAUTH table is showing the real ID and the anonymous ID
which isnt helping the NAS which receives the anonymous part last.  do I simply drop
or discard the anonymous part when it gets to this proxy box?


More information about the Freeradius-Users mailing list