EAP Outer and Inner Tunnel Behaviour Discussion
Alan DeKok
aland at deployingradius.com
Mon Apr 6 13:47:43 CEST 2009
Jacky Chan wrote:
> We are going to proxy EAP to another site with all freeradius (we are using
> 2.1.4, another site using 1.x), but there are some interest problems
> occurred, details are as follows:
>
> Our site only accept non “@domain” format for inner EAP tunnel
> authentication since user DB only store user name without suffix, (as I
> previous post, replier said that cannot change the EAP user name by terminal
> home server even using unlang or strip on proxy.conf, so I give up to
> chanage the inner EAP user name in our terminal home radius).
This has NO effect on proxying.
> But the administrator of another site which connect with us said that their
> user name store in file/DB also non suffix but can using “@domain” to pass
> the EAP/mschapv2 authentication with “stripped-user-name”, I’m not sure how
> and why, but after testing, I can using anonymous at aaa.net as user name of
> outer EAP tunnel and user1 at aaa.net as user name of inner EAP tunnel to pass
> the authentication, and then I try to remove the “suffix from inner EAP user
> name“ or change the “outer user name” in client EAP supplicant (in our site
> change outer user name is accept, you can use any outer user name since
> proxy server only care suffix) , it get fail, so do you think that how about
> the user name actually store in another site DB, is it without suffix or
> with it? But if it is all without suffix, why I cannot login with non suffix
> user name of inner EAP tunnel?
That doesn't make a lot of sense to me.
You will need to proxy the OUTER eap session to the other server. Do
NOT proxy the inner EAP session.
> And how can remove the suffix in inner EAP tunnel while authentication? Or
> all account have suffix in another site DB.
Don't touch the inner EAP tunnel when you are proxying.
Alan DeKok.
More information about the Freeradius-Users
mailing list