EAP-TTLS outer identity & accounting
Alan DeKok
aland at deployingradius.com
Tue Mar 20 15:38:25 CET 2007
Sam Schultz wrote:
>
> I have set a DEFAULT entry that sets the User-Name attribute via
> ':=', but I still end up with two User-Name attributes (anonymous
> identity & real identity). This is especially strange, since
> use_tunneled_reply & copy_request_to_tunnel are both enabled as
> well.
Then it may be a bug. My tests look like they work, so I'm not sure
what the difference is with your configuration.
> If I understand correctly, := should replace the anonymous (first)
> User-Name value with the real (second) value permitting they are in
> the same session. Upon looking back at the debug output, it looks
> like
> the tunneled request is actually handled as if it were a seperate
> request than the one containing it (request->eap module-(unpack)-
>> new request).
Yes.
> This would explain why two User-Name attributes are showing up in
> the
> final response.
Not entirely. If you have use_tunneled_reply = yes, AND you're doing:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
Then that name should be copied to the outer tunnel, AND the outer
tunnel SHOULD NOT add the "anonymous" username in the reply, because it
sees the User-Name copied from the tunnel. See src/modules/rlm_eap/*.c
> P.S. A link to a list of known-good access points, or personal
> recommendations on access points would also be appreciated.
See the Wiki. If you have good experiences, add them to the Wiki.
> We will be replacing a few 3com APs soon because they don't
> play well with...well...ANYTHING. One (3com OfficeConnect)
> doesn't even have options for radius account, even though
> it advertises the feature right on the box.
Return them as broken.
Cisco AP350's seems to be pretty solid.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list