Inner identity in accounting logs
Jonathan Gazeley
jonathan.gazeley at bristol.ac.uk
Mon Feb 9 16:13:35 CET 2009
Arran Cudbard-Bell wrote:
>
> As far as i'm aware this has never worked, which is why I still return
> attributes from the inner tunnel and get it that way.
>
>
> eap {
>
> peap {
> use_tunneled_reply = yes
> virtual_server = "local.user.inner"
> }
> }
>
>
> server local.user.inner {
> post-auth {
> #
> # Return inner identity to use in final accept
> #
> update reply {
> User-Name := "%{Stripped-User-Name}"
> }
> }
> }
>
>
>
This is pretty much the config I had already. My eap.conf already
specifies a virtual inner server. The only difference was that I had
'use_tunneled_reply = no', so I changed that to 'yes'.
My inner virtual server, 'inner-tunnel' already had an 'update reply'
block identical to yours.
But with this change I still get the outer identities in my accounting
logs. Any ideas what's up?
> You can then apply your authorisation policy in post-auth where it
> should be already :P .
>
The reason for authorising before we authenticate is because the
database query for authorisation is much faster then the request to the
AD controllers, and this saves unnecessary load on the AD controllers. I
know it's not really best practice.
Many thanks,
Jonathan
More information about the Freeradius-Users
mailing list