reauth-problem with WPA2-tls
Alexander Clouter
alex at digriz.org.uk
Thu Jun 3 16:17:50 CEST 2010
Bjørn Mork <bjorn at mork.no> wrote:
>
>> The 'No information to cache' means you do not have anything useful
>> (for example 'User-Name') in the reply packet.
>
> Makes sense.
>
>> In the post-auth of my inner-eap virtual server I have added:
>> ----
>> post-auth {
>> ...
>> # needed for TTLS cache
>> update reply {
>> User-Name := "%{request:User-Name}"
>> }
>> ...
>> }
>> ----
>>
>> That should fix your problem.
>
> Thanks. Looks like something for the default config/documentation with
> that comment included.
>
To make things more interesting, depending on you situation[1] you might
want to then strip the User-Name attribute from your reply traffic on
the outer layer.
We do this as in the 'eduroam' world when our lusers are roaming away
from their home institution we want to protect the guilty and give them
some degree of anonymity. This means the remote organisation the user
is visiting only sees the username in the initial request packet...which
for TTLS *should* be '@example.com' and *not* 'luser at example.com'.
Of course when our users are onsite we pass on the User-Name in the
Access-Accept so that the accounting packets from the NAS have the inner
username present making grepping/SELECTing your accounting logs that
much easier.
Cheers
--
Alexander Clouter
.sigmonster says: You are so boring that when I see you my feet go to sleep.
More information about the Freeradius-Users
mailing list