PEAP auth rejected due to different inner and outer user-id
McNutt, Justin M.
McNuttJ at missouri.edu
Thu Feb 13 13:56:06 CET 2014
When this occurs, do you get something in your log that tells you that this is the reason for the auth failure?
Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"?
Sent from my mobile device.
On Feb 11, 2014, at 8:52, "inverse" <inverse at ngi.it<mailto:inverse at ngi.it>> wrote:
The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name. Authentication failed.
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler
However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section:
if ( "%{outer.request:User-Name}" != "%{User-Name}" ){
reject
}
which does exactly that. If you see something along these lines, you've found the source of your problems
Best regards,
Inverse
On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng at gmail.com<mailto:douglas.eseng at gmail.com>> wrote:
Encountered the following issue.
Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140213/3e1f7e4f/attachment-0001.html>
More information about the Freeradius-Users
mailing list