strangeness with Meru Controller
Phil Mayers
p.mayers at imperial.ac.uk
Wed Nov 13 18:01:25 CET 2013
On 13/11/13 16:43, Rui Ribeiro wrote:
> Dear all,
>
> We have are switching to Meru here, using a FreeRadius 2.12 Debian stock
> with EDUROAM/EAP-TTLS-MSCHAPv2 + AD authentication, just for the sake of
> completeness.
Do you mean TTLS/MSCHAP here, or TTLS/EAP-MSCHAPv2? They're different,
and in particular since the latter is an EAP inner, it sends a reply
User-Name, whereas the former does not, and it gets left to the EAP outer.
>
> What happens is that whilst with our Cisco Controller, the username in
> the SQL User Accounting is the same as the one in authentication, when
> dealing with the Meru Controllers, the user in Accounting has no
> realm/domain unless I copy expressly the User-Name from the inner-tunnel
> to the outer-tunnel.
The "User-Name" in accounting packets should be:
1. The User-Name from the Access-Accept packet, if set
2. The User-Name from the Access-Request packet, otherwise
Look at a debug to see what you're sending in Access-Accept - check
you're actually sending the same thing to both devices.
Personally I *always* set reply:User-Name myself in post-auth{} blocks,
and I *always* qualify it with a realm, even if the user didn't send
one. I prefer the explicit approach.
More information about the Freeradius-Users
mailing list