[EXT] Anonymous outer identity
Brian Julin
BJulin at clarku.edu
Tue May 31 18:02:23 UTC 2022
Jaume Obrador Vaquer <jobrador at lledoner.com> wrote:
> Hi, we’ve set up freeradius 3.0 in order to authenticate users through an
> LDAP server, also users are assigned different VLAN depending on gidNumber
> ldap attribute. We have 2 enabled sites ‘default’ and ‘inner-tunnel’
You should be performing LDAP in the inner-tunnel server, not the default server,
and use the EAP-PEAP copy_request_to_tunnel option to get stuff from
the outer layer into the inner server, if you need it. Then use an
update outer.session-state {} clause to get stuff back out to the outer (default)
server as needed.
Alternatively you can do some LDAP post-auth lookup stuff after leaking the
inner-tunnel username back into the outer session, but you definitely want
to do the actual "authenticate" step in the inner tunnel, whether that be
by AD or LDAP.
There should be a few examples of these configurations around by now.
Also, FWIW, windows clients will postpend your domain name on the value
in the "identity privacy" field. So if the username is foo at test.com and
they put "anon" in this feild, the outer identity will be "anon at test.com".
JFYI. Most other clients let you set a different domain if you want,
Windows won't.
More information about the Freeradius-Users
mailing list