Arran Cudbard-Bell wrote:
As far as i'm aware this has never worked, which is why I still return
attributes from the inner tunnel and get it that way.
eap {
peap {
use_tunneled_reply = yes
virtual_server = "local.user.inner"
}
}
server local.user.inner {
post-auth {
#
# Return inner identity to use in final accept
#
update reply {
User-Name := "%{Stripped-User-Name}"
}
}
}
This is pretty much the config I had already. My eap.conf already
specifies a virtual inner server. The only difference was that I had
'use_tunneled_reply = no', so I changed that to 'yes'.
My inner virtual server, 'inner-tunnel' already had an 'update reply'
block identical to yours.
But with this change I still get the outer identities in my accounting
logs. Any ideas what's up?
You can then apply your authorisation policy in post-auth where it
should be already :P .
The reason for authorising before we authenticate is because the
database query for authorisation is much faster then the request to the
AD controllers, and this saves unnecessary load on the AD controllers. I
know it's not really best practice.
Many thanks,
Jonathan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
