'Re: PEAP-MSCHAPv2 and anonymous outer identity - can't understand passing inner username to outer tu'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: PEAP-MSCHAPv2 and anonymous outer identity - can't understand passing inner username to outer tu
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2022-05-05 7:07:10
Message-ID: 43F4EC54-E712-4BD3-ACF7-C4BAEE69BE97 () deployingradius ! com
[Download RAW message or body]

On May 3, 2022, at 6:52 PM, Samuel Walker-Kierluk via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:
> I've got FreeRADIUS handling our "eduroam" needs at my university.  Users from \
> outside our realms are proxied to the national eduroam proxies, and users matching \
>                 our realms are handled locally:
> -Authentication: PEAP-MSCHAPv2 authentication (using ntlm_auth) against our Active \
>                 Directory domain controllers
> -Post-Auth in outer server file: for users of our own realm and on our own campus's \
> network, I use a few "if" statements (one based on a username pattern, another \
> based on an LDAP-Group lookup of Stripped-User-Name) to send the VLAN ID to the \
> access point.

  That's good.

> This works wonderfully when using the same inner and outer identity, but after I \
> set up anonymous outer identities on my clients, the VLAN ID assignment in the \
> post-auth section doesn't work properly, as it uses the outer identity "anonymous" \
> instead of the username from the inner tunnel.

  So move the checks to the inner-tunnel.

  The only magic is you should then add the VLAN attributes to the \
outer.session-state list.    The "post-auth" section will automatically add them to \
the outer reply.  See the "post-auth" section of the inner-tunnel virtual server, and \
the post-auth section of the default virtual server.

	#
	#  For EAP-TTLS and PEAP, add the cached attributes to the reply.
	#  The "session-state" attributes are automatically cached when
	#  an Access-Challenge is sent, and automatically retrieved
	#  when an Access-Request is received.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic