outer identity anonymous is being rejected

Alan DeKok aland at deployingradius.com
Wed Feb 11 14:41:37 CET 2009

Godfrey Peart wrote:
> My FR 2.1 is set to authenticate users via PEAP + EAP-TTLS, this works 
> fine but some users are being rejected
>  because their wireless client allows the setting of an outer identity:
> anonymous or something else, which is not a valid username.

  You need to separate the rules for the outer && inner identity.

  The default configuration has the same "users" file being processed
for both the outer && inner sessions.  You might need to create a rule
to ignore it on the outer tunnel.

> So it's being rejected. How do I get the inner identity which contains a
> valid username to be processed instead of the outer identity.
>  I've seen some posts about using* Autz-type INNER* options but have
> merely succeded in breaking my test system when tryng it out.

  Don't use Autz-Type in 2.1.x.  "unlang" is better and more powerful.

  Try editing raddb/sites-enabled/default, and commenting out the
"files" line in the "authorize" section.  This will skip the "users"
file outside of the tunnel.

  Or, add a separate "files" module, and run that one inside of the tunnel.

  Alan DeKok.

More information about the Freeradius-Users mailing list