Sam Schultz wrote:
> I have set a DEFAULT entry that sets the User-Name attribute via
> ':=', but I still end up with two User-Name attributes (anonymous
> identity & real identity). This is especially strange, since 
> use_tunneled_reply & copy_request_to_tunnel are both enabled as 
> well. 

  Then it may be a bug.  My tests look like they work, so I'm not sure
what the difference is with your configuration.

> If I understand correctly, := should replace the anonymous (first)
> User-Name value with the real (second) value permitting they are in
> the same session. Upon looking back at the debug output, it looks 
> like
> the tunneled request is actually handled as if it were a seperate 
> request than the one containing it (request->eap module-(unpack)-
>> new request).


> This would explain why two User-Name attributes are showing up in 
> the
> final response.

  Not entirely.  If you have use_tunneled_reply = yes, AND you're doing:

DEFAULT FreeRADIUS-Proxied-To ==
        User-Name := `%{User-Name}`

  Then that name should be copied to the outer tunnel, AND the outer
tunnel SHOULD NOT add the "anonymous" username in the reply, because it
sees the User-Name copied from the tunnel.  See src/modules/rlm_eap/*.c

> P.S. A link to a list of known-good access points, or personal
>      recommendations on access points would also be appreciated.

  See the Wiki.  If you have good experiences, add them to the Wiki.

>      We will be replacing a few 3com APs soon because they don't
>      play well with...well...ANYTHING. One (3com OfficeConnect)
>      doesn't even have options for radius account, even though
>      it advertises the feature right on the box.

  Return them as broken.

  Cisco AP350's seems to be pretty solid.

  Alan DeKok.
--       - The web site of the book - The blog
List info/subscribe/unsubscribe? See

Reply via email to