Not able to receive inner identity in Access-Accept in EAP-TTLS.
Bhavesh Kamani
bhavesh.kamani at cyberoam.com
Fri Aug 29 12:44:29 CEST 2014
Hi Team,
Is there a way using which NAS can identify whether client has used
anonymous identity OR not used(i.e. blank)?
Thanks,
Bhavesh.
On Friday 29 August 2014 03:18 PM, Stefan Paetow wrote:
>> My log excerpts provided examples of the problem I was facing with
>> both TTLS-MSCHAPv2 and PEAP-MSCHAPv2; I also tried TTLS-PAP, with
>> the same negative result.
> I haven't seen any full debug logs (i.e. running radiusd -X and sending the list the complete output) from you... only snippets, which are not helpful without any context.
>
>> To be sure, do you mean you really manage to retrieve the inner identity
>> with the help of an "update outer.reply" only?
> Yes. In the 'eap' module I have:
>
> eap: default_eap_type = ttls
>
> eap, ttls: default_eap_type = mschapv2
> copy_request_to_tunnel = yes
> use_tunneled_reply = no
>
> eap, peap: identical to eap, ttls.
>
> In inner-tunnel, post-auth:
>
> if (... comparison here irrelevant ...) {
> update outer.reply {
> User-Name := "%{Stripped-User-Name}"
> }
> }
> else {
> cui-inner
> }
>
> Works fine here...
>
> One thing I did find when I used eapol_test (or more specifically, rad_eap_test, which calls eapol_test), I had to make sure I specified EAPMSCHAPv2 as the inner auth method. Just specifying MSCHAPv2 does not make it EAP-MSCHAPv2.
>
> Stefan
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list