When using PEAP, you should use the inner Id, not the outer ID. It is the inner
ID that authenticates. The Outer ID is generally used for proxy decisions, but
otherwise may be set to anything.
(Caution: possible typos ahead!)
My FreeRADIUS book suggests comparing the inner & outer IDs. If they are
different, copy the inner ID to the outer ID.
In sites-enabled/inner-tunnel file, at the top of the post-auth section
if (outer.request:User-Name != "%{request:User-Name}" {
update-reply {
User-Name := "%{request:User-Name}"
}
}
Edit eap.conf and change to use_tunneled_reply = yes
Restart FreeRADIUS
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011
From: Chuck Enfield [mailto:[email protected]]
Sent: Tuesday, January 31, 2012 10:00 PM
Subject: Re: Strange Apple 802.1x Client Names
We've had 30 clients since late November which have used an outer ID of
com.apple.systemdefault at one point or another. It seems in all cases to have
been an isolated instance, and none of them successfully authenticated during
that session. All but one of those MACs has been on the network successfully
using a different outer ID since that failed attempt.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
On Behalf Of Lee H Badman
Sent: Tuesday, January 31, 2012 12:55 PM
To:
[email protected]<mailto:[email protected]>
Subject: [WIRELESS-LAN] Strange Apple 802.1x Client Names
Not quite sure what to make of this yet. If anyone is running an 802.1x secure
wireless network, can you search your wireless management systems for wireless
clients called either of these:
com.apple.kerberos.kdc
com.apple.systemdefault
we have a handful of these that are authenticating as valid user names in our
Cisco wireless/ACS environment. We only auth against AD, and we typically see a
mix of "real" usernames in log that will somehow correlate to these, but at the
same time it's weird that these funky names are showing as valid usernames both
in the WLAN system and in ACS.
Web searching shows that these are some kerfuffle to do with obsolete keychain
certs in the Apple OS.
Wild and weird- anyone been here before?
-Lee Badman
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
