Outer vs. inner ID in Login OK messages
Alan DeKok
aland at deployingradius.com
Wed Jan 23 16:27:23 CET 2019
On Jan 23, 2019, at 10:08 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
>
> I have a question about the "Login OK" messages in radius.log.
> We offer both PEAP/MS-CHAPv2 and EAP-TTLS/PAP to our clients
> Server is FR 3.0.17 on Debian. Upon succesful authentication,
> the outer and inner virtual server each append a Login OK
> message to radius.log - so far, so good.
> Assume the outer id is set to eduroam at staff.uni-marburg.de.
> With PEAP, I get
> Wed Jan 23 15:43:45 2019 : Auth: (4903823) Login OK: [pauly1] (from client wlc3 port 13 cli 20:64:32:00:00:01 via TLS tunnel)
> Wed Jan 23 15:43:45 2019 : Auth: (4903824) Login OK: [eduroam at staff.uni-marburg.de] (from client wlc3 port 13 cli 20:64:32:00:00:01)
>
> With EAP-TTLS/PAP, I get
> Wed Jan 23 15:42:52 2019 : Auth: (4902040) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:00:00:01 via TLS tunnel)
> Wed Jan 23 15:42:52 2019 : Auth: (4902040) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:00:00:01)
>
> So it would seem that in the latter case the outer server still logs the inner id.
The server should log what the client sends. The debug log you posted doesn't include that. So maybe the client *is* sending "pauly1" for the outer ID.
Alan DeKok.
More information about the Freeradius-Users
mailing list