How to Reject Anonymous Identity

Dom Latter freeradius-users at latter.org
Fri Nov 2 17:48:12 CET 2018



On 02/11/2018 16:15, Alan DeKok wrote:
> 
> On Nov 2, 2018, at 12:08 PM, Selahattin Cilek <selahattin_cilek at hotmail.com> wrote:
>>
>> I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
>> stepped into the world of RADIUS, I have been dealing with the issue of
>> "anonymous" users.
> 
>    What do you mean by anonymous users?

People who set up an anonymous username that is different to the "real"
username authenticated in the inner tunnel.

>> What I'd like to know though is that if there is a better, more elegant
>> FreeRADIUSy way of achieving the same goal. For example, would something
>> like below work?

AIUI you need to pass the inner request name back to the outer.  We
are using this snippet, but so that we can log using the real, not
anonymous, username.

In inner tunnel
   post-auth {
     update outer.session-state {
        &User-Name = &User-Name
   }


Then in the default site you could try this:
   post-auth {
     if (&session-state:User-Name != &request:User-Name)
       reject
   }


NB untested and there's people who understand the code far better
than I do.


More information about the Freeradius-Users mailing list