LDAP group check on inner-tunnel.
Alan DeKok
aland at deployingradius.com
Wed Aug 11 02:44:07 CEST 2010
Jason Fenner wrote:
> However, when I test PEAP using eapol_test authentication also works
> fine, but the ldap group checking occurs only on the outer-tunnel
> username. In this case, the outer tunnel is created using the username
> "anonymous". This user doesn't exist in AD, so a failure is the response.
>
> In inner-tunnel post-auth I have this snippet:
>
> update outer.reply {
> User-Name = "%{request:User-Name}"
> }
And go read the LDAP configuration. Is it look for %{User-Name}, or
%{reply:User-Name} ?
> My understanding was that this should copy the real username from the
> inner tunnel to the outer tunnel.
To the *reply* list. That's what you said. You've read enough of the
documentation to explicitly reference the "request" list above, so you
know it's different from the "reply" or "outer.reply" list.
Now go apply that knowledge further.
> This should then allow ldap
> groupcheck to test the correct username.
No.
> I never see a ldap check on the inner tunnel at all.
Because you didn't configure "ldap" in the
raddb/sites-available/inner-tunnel virtual server. This is documented.
> I see this strange output in debug in relation to the snipet above:
..
> I would think that outer.reply should return ok or something other then
> noop.
No. It returns "noop" for some esoteric reasons. But that's a
distraction, and not the source of the real problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list