On Fri, Jun 15, 2012 at 11:48:56AM +0200, Alberto Martínez wrote: > However, we would want our NAS to see the inner true User-Name, not the > outer one. I know this can be set in the inner-tunnel post-auth section > uncommenting the update outer.reply lines, but that exposes our users' > inner User-Name to proxied-to-us authentications. > > So my question is: Which attributes should I check to tell apart local and > external auths?
In some way, that depends on what attributes you have available in the requests to check. Packet-Src-Ip-Address is one way. Or set huntgroups for your own NASes (NAS-IP-Address, etc), then just check for membership of the huntgroup. Just rememeber Packet-Src-Ip-Address can't easily be spoofed, whereas attributed in the incoming packet can be. Matthew -- Matthew Newton, Ph.D. <[email protected]> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <[email protected]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
