tnt-4 wrote:
>
>>We are going to proxy EAP to another site with all freeradius (we are
using
>>2.1.4, another site using 1.x), but there are some interest problems
>>occurred, details are as follows:
>>
>>Our site only accept non @domain format for inner EAP tunnel
>>authentication since user DB only store user name without suffix, (as I
>>previous post, replier said that cannot change the EAP user name by
terminal
>>home server even using unlang or strip on proxy.conf, so I give up to
>>chanage the inner EAP user name in our terminal home radius).
>>
>>But the administrator of another site which connect with us said that
their
>>user name store in file/DB also non suffix but can using @domain to pass
>>the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how
>>and why, but after testing, I can using [email protected] as user name of
>>outer EAP tunnel and [email protected] as user name of inner EAP tunnel to
pass
>>the authentication,
>
> That's fine.
>
>>and then I try to remove the suffix from inner EAP user
>>name or change the outer user name in client EAP supplicant
>
> And why would you want to do a thing like that? Just leave it alone.
>
>
No, I just want to let our user using an anonymous account as the outer user
name for authentication to improve the security, and using the true account
for inner tunnel.
>(in our site
>change outer user name is accept, you can use any outer user name since
>proxy server only care suffix) , it get fail, so do you think that how
about
>the user name actually store in another site DB, is it without suffix or
>with it? But if it is all without suffix, why I cannot login with non
suffix
>user name of inner EAP tunnel?
Why do you care what is stored on their database? It's none of your
concern. You just proxy unaltered usernames to them.
Because the administrator said that their user name all without suffix, so I
want to setup a similar home radius to do the authentication without suffix
user name (testing 3 show as below). but I got fail since if all accounts
stored in file/DB without suffix just like user1, I can not pass the
authentication with [email protected] in inner tunnel because I don't know (or
it is impossible) how to remove the suffix before do the authentication. I
guess may be they also stored with suffix user name in their DB/File
>
>And how can remove the suffix in inner EAP tunnel while authentication?
By using suffix module in freeradius (enabled by default). You just
configure aaa.net as a local realm in proxy.conf.
You means that add a realm in proxy.conf of PROXY server OR in home terminal
radius server?
as following configuration, it seems should be apply on home radius server,
right?
realm aaa.net {
auth_pool = localhost
# nostrip (enable or not?)
}
The following is the result by my testing for outer tunnel and inner tunnel
authentication with my proxy and home radius server, I'm using
SecureW2_EAP_Suite_113 with PEAP/MSChapV2:
(1)
user name which stored in home radius file: [email protected]
outer tunnel name: [email protected] OR @aaa.net OR [email protected]
Inner tunnel name: [email protected]
result: passed
(2)
user name which stored in home radius file: [email protected]
outer tunnel name: [email protected] OR @aaa.net OR [email protected]
Inner tunnel name: user2
result: failed
(3)
user name which stored in home radius file: user2
outer tunnel name: [email protected] OR @aaa.net OR [email protected]
Inner tunnel name: [email protected]
result: failed
(4)
user name which stored in home radius file: user2
outer tunnel name: [email protected] OR @aaa.net OR [email protected]
Inner tunnel name: user2
result: passed
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/EAP-Outer-and-Inner-Tunnel-Behaviour-Discussion-tp22901750p22922187.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
