PEAP auth rejected due to different inner and outer user-id
Alan DeKok
aland at deployingradius.com
Sat Feb 15 17:13:53 CET 2014
douglas eseng wrote:
> Trying to find a configuration that allow accurate accounting when PEAP
> / TTLS having anonymous outer user-id.
That's what CUI is for. However, some NAS equipment doesn't support it.
> Using FR 2.2.3 with default configuration.
> - add a testing user
> - enable eap.conf use_tunneled_reply for both PEAP & TTLS
>
> Observed that,
> - PEAP sent inner user-id in the Access-Accept
> - TTLS-PAP sent outer user-id in the Access-Accept instead. (debug
> output attached)
That's the way it works...
> Additionally enable 'update outer.reply' in post-auth section for the
> inner-tunnel virtual server.
That should work.
> Observed that,
> - PEAP failed due to identity mismatch. (debug output attached)
That's weird...
> - TTLS-PAP sent inner user-id in the Access-Accept.
>
> Seem like both use_tunneled_reply option and update outer.reply in
> post-auth section have inconsistent behavior.
>
> What would be the correct configuration to allow accurate accounting?
It should work...
Alan DeKok.
More information about the Freeradius-Users
mailing list