Hi, > After uncommenting that in inner-tunnel, I see local users authenticated > by the LOCAL auth called outer.reply. But this is not the case for > external users(Realm handled by external proxy). > > The latter is what I really want: being able to see which external user > is authenticating.
The whole concept of inner tunneling and protecting it via TLS is *because* you are *not* supposed to see the actual authentication credentials. For your local users, you terminate the tunnel yourself and can decide to expose the information by uncommenting the above, but for non-local users it is supposed to not work. > As we are not doing Accounting, isn't it possible to > move the outer.reply higher up in the stack? Or it shouldn't matter? > Outer anonymous identities preserve privacy of the (remote) user authenticating. If you want to change that, you need a business agreement with the remote party to disclose their user information to you. Taking a peek at your mail domain name: if you are about to set up eduroam - there is no automated disclosure of the inner identity in eduroam. There is a process to ask the identity provider (IdP) retroactively *if and when* the user has done something wrong and needs to be traced. But there is no proactive information disclosure - or better put, it's in the discretion of the IdP to tell the rest of the world who his user is; unsurprisingly most IdPs opt not to do so, if for no other reason than to evade privacy and data protection laws. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
