Question about outer identity

Alan Buxey A.L.M.Buxey at
Thu Jul 30 13:32:14 CEST 2009


> I have 2.1.6 and things basically work. But I just came across a
> question about the processing of outer/inner identity:
> As I understand it, in case of a non-EAP RADIUS request (eg from my old  
> modem servers), there is no tunnel and hence no inner identity.
> ==> Autz and Auth are done by the default virtual server and governed by
> the settings in radiusd.conf and sites-available/default -- right?
> In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer  
> identity is simply used as a dummy during Tunnel setup
> (Our EAP Clients use anonymous at as outer identity).
> Nonetheless, freeradius does an LDAP request during Authorization
> which, of course, fails with 'notfound'. freeradius then happily
> proceeds to do the real authentication with inner-tunnel.
> Now I wonder how to avoid that extra LDAP query.
> Here's my config (ldap123 refers to a virtual module doing
> redundant-load-balance with 3 LDAP servers):

somthing in your users file is matching and enforcing LDAP ;-)


More information about the Freeradius-Users mailing list