PEAP auth rejected due to different inner and outer user-id

Alan DeKok aland at
Sat Feb 15 17:13:53 CET 2014

douglas eseng wrote:
> Trying to find a configuration that allow accurate accounting when PEAP
> / TTLS having anonymous outer user-id.

  That's what CUI is for.  However, some NAS equipment doesn't support it.

> Using FR 2.2.3 with default configuration.
> - add a testing user
> - enable eap.conf use_tunneled_reply for both PEAP & TTLS
> Observed that,
> - PEAP sent inner user-id in the Access-Accept
> - TTLS-PAP sent outer user-id in the Access-Accept instead. (debug
> output attached)

  That's the way it works...

> Additionally enable 'update outer.reply' in post-auth section for the
> inner-tunnel virtual server.

  That should work.

> Observed that,
> - PEAP failed due to identity mismatch. (debug output attached)

  That's weird...

> - TTLS-PAP sent inner user-id in the Access-Accept.
> Seem like both use_tunneled_reply option and update outer.reply in
> post-auth section have inconsistent behavior.
> What would be the correct configuration to allow accurate accounting?

  It should work...

  Alan DeKok.

More information about the Freeradius-Users mailing list