Sam Schultz wrote: > > I have set a DEFAULT entry that sets the User-Name attribute via > ':=', but I still end up with two User-Name attributes (anonymous > identity & real identity). This is especially strange, since > use_tunneled_reply & copy_request_to_tunnel are both enabled as > well.
Then it may be a bug. My tests look like they work, so I'm not sure what the difference is with your configuration. > If I understand correctly, := should replace the anonymous (first) > User-Name value with the real (second) value permitting they are in > the same session. Upon looking back at the debug output, it looks > like > the tunneled request is actually handled as if it were a seperate > request than the one containing it (request->eap module-(unpack)- >> new request). Yes. > This would explain why two User-Name attributes are showing up in > the > final response. Not entirely. If you have use_tunneled_reply = yes, AND you're doing: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}` Then that name should be copied to the outer tunnel, AND the outer tunnel SHOULD NOT add the "anonymous" username in the reply, because it sees the User-Name copied from the tunnel. See src/modules/rlm_eap/*.c > P.S. A link to a list of known-good access points, or personal > recommendations on access points would also be appreciated. See the Wiki. If you have good experiences, add them to the Wiki. > We will be replacing a few 3com APs soon because they don't > play well with...well...ANYTHING. One (3com OfficeConnect) > doesn't even have options for radius account, even though > it advertises the feature right on the box. Return them as broken. Cisco AP350's seems to be pretty solid. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html