PEAP auth rejected due to different inner and outer user-id

McNutt, Justin M. McNuttJ at
Thu Feb 13 13:56:06 CET 2014

When this occurs, do you get something in your log that tells you that this is the reason for the auth failure?

Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"?

Sent from my mobile device.

On Feb 11, 2014, at 8:52, "inverse" <inverse at<mailto:inverse at>> wrote:

The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3

Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name.  Authentication failed.
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler

However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section:

if ( "%{outer.request:User-Name}" != "%{User-Name}" ){

which does exactly that. If you see something along these lines, you've found the source of your problems

Best regards,


On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng at<mailto:douglas.eseng at>> wrote:
Encountered the following issue.

Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.

List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list