Hi, On Wed, Aug 20, 2014 at 09:27:30PM +0300, Heikki Vatiainen wrote: > On 08/20/2014 01:55 AM, Klara Mall wrote: > > > I think I prefer %0 to %u because then it would be identical to > > TTLS/PAP. > > The difference is with the first tunnelled request which will have empty > User-Name. You could consider this: > > <Handler TunnelledByPEAP=1, Realm=a.kit.edu> > ... > </Handler> > <Handler TunnelledByPEAP=1, Realm=b.kit.edu> > ... > </Handler> > <Handler TunnelledByPEAP=1> > <AuthBy FILE> > Filename /dev/null > </AuthBy> > </Handler> > > The above will handle all PEAP tunnelled requests that have known realms > and ground the requests with unknown realms. It will also catch the > first > tunnelled request with empty User-Name, but since it will only > establish the inner EAP identity and launch EAP-MSCHAP-V2, it will not > cause an authentication failure. The subsequent requests will have > User-Name based on the inner EAP identity and different Handler is chosen. > > If you look at the logs, the first inner request likely hits the outer > Handler which works too, but the above will make clear that all inner > requests will be handled by Handlers with TunnelledByPEAP.
Thanks, I understand. This seems to be a very good way to realise it. I will try this. > > I.e. I can write in the user guide: "please make sure that > > your inner identity contains the vlan realm." As far as I understand > > the anonymous identity is without effect then (they can use > > anonymous or anymous@colubris-test or ...). Hope I got that right. > > My tests look like that anyway. > > Correct. With EAPAnonymous %0, the inner User-Name is never the > User-Name from the incoming RADIUS request (the outer PEAP does have > identity too, but it is normally the same as User-Name unless User-Name > attribute has been rewritten). What do you mean with "the incoming RADIUS request"? The outer request? > The purpose of anonymous identity is only to get the request to the > correct authentication server within the campus or across eduroam, etc. Ok, so this really doesn't matter as in this context there's no roaming involved. Regards Klara _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
