EAP-TTLS outer identity & accounting

Sam Schultz segfault90 at hushmail.com
Mon Mar 19 20:10:50 CET 2007


After alot of experimenting & researching, I still haven't found
a solution to the TTL anonymous outer identity being used for 
accounting.

I have set a DEFAULT entry that sets the User-Name attribute via
':=', but I still end up with two User-Name attributes (anonymous
identity & real identity). This is especially strange, since 
use_tunneled_reply & copy_request_to_tunnel are both enabled as 
well. 

If I understand correctly, := should replace the anonymous (first)
User-Name value with the real (second) value permitting they are in
the same session. Upon looking back at the debug output, it looks 
like
the tunneled request is actually handled as if it were a seperate 
request than the one containing it (request->eap module-(unpack)-
>new request).
This would explain why two User-Name attributes are showing up in 
the
final response. Is there any way to discard the first (anonymous) 
entry
via a module or other method without hacking FR code?

Surely someone has this working. My setup is just basic TTLS-PAP
auth'ing against LDAP.

P.S. A link to a list of known-good access points, or personal
     recommendations on access points would also be appreciated.
     We will be replacing a few 3com APs soon because they don't
     play well with...well...ANYTHING. One (3com OfficeConnect)
     doesn't even have options for radius account, even though
     it advertises the feature right on the box.

--
Click for free info on criminal justice degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1S4xqOnm2zOGqjRJ3VXHodSBUi/





More information about the Freeradius-Users mailing list