EAP Outer and Inner Tunnel Behaviour Discussion

Jacky Chan jackyc at wkg1.umac.mo
Mon Apr 6 05:47:23 CEST 2009


Hi all, 

We are going to proxy EAP to another site with all freeradius (we are using
2.1.4, another site using 1.x), but there are some interest problems
occurred, details are as follows:

Our site only accept non “@domain” format for inner EAP tunnel
authentication since user DB only store user name without suffix, (as I
previous post, replier said that cannot change the EAP user name by terminal
home server even using unlang or strip on proxy.conf, so I give up to
chanage the inner EAP user name in our terminal home radius). 

But the administrator of another site which connect with us said that their
user name store in file/DB also non suffix but can using “@domain” to pass
the EAP/mschapv2 authentication with “stripped-user-name”, I’m not sure how
and why, but after testing, I can using anonymous at aaa.net as user name of
outer EAP tunnel and user1 at aaa.net as user name of inner EAP tunnel to pass
the authentication, and then I try to remove the “suffix from inner EAP user
name“ or change the “outer user name” in client EAP supplicant (in our site
change outer user name is accept, you can use any outer user name since
proxy server only care suffix) , it get fail, so do you think that how about
the user name actually store in another site DB, is it without suffix or
with it? But if it is all without suffix, why I cannot login with non suffix
user name of inner EAP tunnel? 

And how can remove the suffix in inner EAP tunnel while authentication? Or
all account have suffix in another site DB.
-- 
View this message in context: http://www.nabble.com/EAP-Outer-and-Inner-Tunnel-Behaviour-Discussion-tp22901750p22901750.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.





More information about the Freeradius-Users mailing list