use_tunneled_reply has no effect

Stefan Winter stefan.winter at
Wed Jun 17 13:23:57 CEST 2009


> After uncommenting that in inner-tunnel, I see local users authenticated
> by the LOCAL auth called outer.reply. But this is not the case for
> external users(Realm handled by external proxy).
> The latter is what I really want: being able to see which external user
> is authenticating. 

The whole concept of inner tunneling and protecting it via TLS is
*because* you are *not* supposed to see the actual authentication
credentials. For your local users, you terminate the tunnel yourself and
can decide to expose the information by uncommenting the above, but for
non-local users it is supposed to not work.

> As we are not doing Accounting, isn't it possible to
> move the outer.reply higher up in the stack? Or it shouldn't matter?

Outer anonymous identities preserve privacy of the (remote) user
authenticating. If you want to change that, you need a business
agreement with the remote party to disclose their user information to you.

Taking a peek at your mail domain name: if you are about to set up
eduroam - there is no automated disclosure of the inner identity in
eduroam. There is a process to ask the identity provider (IdP)
retroactively *if and when* the user has done something wrong and needs
to be traced. But there is no proactive information disclosure - or
better put, it's in the discretion of the IdP to tell the rest of the
world who his user is; unsurprisingly most IdPs opt not to do so, if for
no other reason than to evade privacy and data protection laws.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

More information about the Freeradius-Users mailing list