Inner identity in accounting logs

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Feb 3 19:42:38 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Gazeley wrote:
> No - this is a completely standard FreeRADIUS configuration. Nothing
> relating to rewriting anything has been changed.
> 
> In the debug log posted in one of my earlier messages, it appears the FR
> server sends an Access-Challenge packet from the inner server using my
> statically set outer ID (testing-jg4461). But immediately after, it
> reverts to using the original outer ID (qwerty99). Then this username
> shows in accounting.
> 
> This doesn't happen when I set the outer ID in the outer server. In that
> case, the statically set outer ID sticks and appears in accounting.
> 
> What's the difference between using an identical piece of code in inner
> or outer servers?
> 
> 

As far as i'm aware this has never worked, which is why I still return
attributes from the inner tunnel and get it that way.


eap {

	peap {
		use_tunneled_reply = yes
		virtual_server = "local.user.inner"
	}
}


server local.user.inner {
	post-auth {
		#
		#  Return inner identity to use in final accept
		#
		update reply {
			User-Name := "%{Stripped-User-Name}"
		}
	}
}


You can then apply your authorisation policy in post-auth where it
should be already :P .

Alan, If the last round of the EAP conversation didn't require data to
be sent to the inner server the outer.User-Name attribute would just be
discarded right? Or do you store those attributes in the same place you
store the tunneled-reply ?

Arran


> Alan DeKok wrote:
>> Jonathan Gazeley wrote:
>>  
>>> Sorry to 'bump' my previous post. I'm at a loss as to why FreeRADIUS
>>> expands the username as expected, but why this username never makes it
>>> back to the NAS. Does anyone have any ideas?
>>>     
>>
>>   No idea... is there anything else that's over-writing the User-Name?
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>   
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmIkB4ACgkQcaklux5oVKJgmgCfYkK6n1qbONnQcaxsETX7F4Gc
mqkAniSb92gQtD8Drb9bQspKGRm44ttC
=zEOg
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list