PEAP auth rejected due to different inner and outer user-id

douglas eseng douglas.eseng at gmail.com
Sat Feb 15 16:49:57 CET 2014


Trying to find a configuration that allow accurate accounting when PEAP /
TTLS having anonymous outer user-id.

Using FR 2.2.3 with default configuration.
- add a testing user
- enable eap.conf use_tunneled_reply for both PEAP & TTLS

Observed that,
- PEAP sent inner user-id in the Access-Accept
- TTLS-PAP sent outer user-id in the Access-Accept instead. (debug output
attached)

Additionally enable 'update outer.reply' in post-auth section for the
inner-tunnel virtual server.

Observed that,
- PEAP failed due to identity mismatch. (debug output attached)
- TTLS-PAP sent inner user-id in the Access-Accept.

Seem like both use_tunneled_reply option and update outer.reply in
post-auth section have inconsistent behavior.

What would be the correct configuration to allow accurate accounting?

Thanks.


On Sat, Feb 15, 2014 at 11:43 PM, douglas eseng <douglas.eseng at gmail.com>wrote:

> Trying to find a configuration that allow accurate accounting when PEAP /
> TTLS having anonymous outer user-id.
>
> Using FR 2.2.3 with default configuration.
> - add a testing user
> - enable eap.conf use_tunneled_reply for both PEAP & TTLS
>
> Observed that,
> - PEAP sent inner user-id in the Access-Accept
> - TTLS-PAP sent outer user-id in the Access-Accept instead. (debug output
> attached)
>
> Additionally enable 'update outer.reply' in post-auth section for the
> inner-tunnel virtual server.
>
> Observed that,
> - PEAP failed due to identity mismatch. (debug output attached)
> - TTLS-PAP sent inner user-id in the Access-Accept.
>
> Seem like both use_tunneled_reply option and update outer.reply in
> post-auth section have inconsistent behavior.
>
> What would be the correct configuration to allow accurate accounting?
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140215/5dde1a7c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ttls-pap-debug.zip
Type: application/zip
Size: 8455 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140215/5dde1a7c/attachment-0002.zip>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: peap-with-postauth-debug.zip
Type: application/zip
Size: 10223 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140215/5dde1a7c/attachment-0003.zip>


More information about the Freeradius-Users mailing list