Altering identity

Alan DeKok aland at
Thu Aug 15 03:24:51 CEST 2019

On Aug 14, 2019, at 12:58 PM, Marek Des <desmarek1 at> wrote:
> Well, about empty realm - I mean this:
> 1) outer identity: empty

  That's an issue.  The outer identity shouldn't be empty.  In RADIUS, it's *forbidden* to have an empty User-Name.

  See RFC 7542.  The outer identity should be "anonymous", or maybe "@realm" where it's your realm.

> 2) inner identity: username
> I need to authenticate two kind of users:
> 1) ones with credentials above
> 2) eduroam

  Except that an empty outer identity means that your users will *never* be able to use eduroam.  An outer User-Name of "" is routable back to you via eduroam.  An empty outer User-Name will just get dropped on the floor.

> The only difference is in outer and inner identity.
> The both setups use EAP + MSCHAPv2 and OpenLDAP.
> I am trying to handle those two kind of users in single virtual server

  You generally *must* run them in a single virtual server.  Because the Ads will send both user authentications to one RADIUS server.  And the RADIUS server has to figure it out.

> and
> it doesn't work - it says it's proxying request to localhost and that's it.

  See the FAQ for "it doesn't work".  And post the *actual* debug output. Not a one-line summary.

  What you 

> proxy.conf:

  We don't need to see that.  The documentation says to post the debug log, *not* the configuration files.

> Virtual server for inner identity:

  We don't need to see that, either.  If it doesn't work, it's wrong.  If you post the debug output, we see it *running* the configuration, which is infinitely more useful.

  What you should be doing is:

* all users log in with a non-empty outer identity.
* *your* users log in with outer identity of "@my.domain.tld"
* the FreeRADIUS configuration has that domain as a local one
* everything else gets proxied to eduroam

  A long and detailed guide is in the Wiki:

  Alan DeKok.

More information about the Freeradius-Users mailing list