strangeness with Meru Controller

Phil Mayers p.mayers at
Wed Nov 13 18:01:25 CET 2013

On 13/11/13 16:43, Rui Ribeiro wrote:
> Dear all,
> We have are switching to Meru here, using a FreeRadius 2.12 Debian stock
> with EDUROAM/EAP-TTLS-MSCHAPv2 + AD authentication, just for the sake of
> completeness.

Do you mean TTLS/MSCHAP here, or TTLS/EAP-MSCHAPv2? They're different, 
and in particular since the latter is an EAP inner, it sends a reply 
User-Name, whereas the former does not, and it gets left to the EAP outer.

> What happens is that whilst with our Cisco Controller, the username in
> the SQL User Accounting is the same as the one in authentication, when
> dealing with the Meru Controllers, the user in Accounting has no
> realm/domain unless I copy expressly the User-Name from the inner-tunnel
> to the outer-tunnel.

The "User-Name" in accounting packets should be:

  1. The User-Name from the Access-Accept packet, if set
  2. The User-Name from the Access-Request packet, otherwise

Look at a debug to see what you're sending in Access-Accept - check 
you're actually sending the same thing to both devices.

Personally I *always* set reply:User-Name myself in post-auth{} blocks, 
and I *always* qualify it with a realm, even if the user didn't send 
one. I prefer the explicit approach.

More information about the Freeradius-Users mailing list