Jacky Chan wrote: > We are going to proxy EAP to another site with all freeradius (we are using > 2.1.4, another site using 1.x), but there are some interest problems > occurred, details are as follows: > > Our site only accept non �...@domain” format for inner EAP tunnel > authentication since user DB only store user name without suffix, (as I > previous post, replier said that cannot change the EAP user name by terminal > home server even using unlang or strip on proxy.conf, so I give up to > chanage the inner EAP user name in our terminal home radius).
This has NO effect on proxying. > But the administrator of another site which connect with us said that their > user name store in file/DB also non suffix but can using �...@domain” to pass > the EAP/mschapv2 authentication with “stripped-user-name”, I’m not sure how > and why, but after testing, I can using [email protected] as user name of > outer EAP tunnel and [email protected] as user name of inner EAP tunnel to pass > the authentication, and then I try to remove the “suffix from inner EAP user > name“ or change the “outer user name” in client EAP supplicant (in our site > change outer user name is accept, you can use any outer user name since > proxy server only care suffix) , it get fail, so do you think that how about > the user name actually store in another site DB, is it without suffix or > with it? But if it is all without suffix, why I cannot login with non suffix > user name of inner EAP tunnel? That doesn't make a lot of sense to me. You will need to proxy the OUTER eap session to the other server. Do NOT proxy the inner EAP session. > And how can remove the suffix in inner EAP tunnel while authentication? Or > all account have suffix in another site DB. Don't touch the inner EAP tunnel when you are proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
