filter_inner_identity
Alan DeKok
aland at deployingradius.com
Wed Jun 11 20:10:31 UTC 2025
On Jun 11, 2025, at 3:46 PM, Rodrigo Prieto <rodrigoprieto2019 at gmail.com> wrote:
> Hi, I’m configuring TTLS+PAP and I have some doubts about how to hide
> users' identities.
Use "anonymous" for the outer identity, or if you're proving somewhere a domain name as @example.com
> The configuration in the filter file rejects the request if the user
> doesn’t use the word “anon”, but if I use anonrprieto as the outer identity
> and rprieto as the inner identity, obviously it doesn’t reject it and the
> inner identity gets exposed.
So change the rule to check for "anomymous". The rules are text, and are editable.
> Is there any way to protect against this, or is it unnecessary?
You decide if it's necessary.
In general, this kind of filtering is most important when the packets are being proxied outside of your local network. If you're not proxying, it doesn't matter.
Alan DeKok.
More information about the Freeradius-Users
mailing list