(RADIATOR) anonymous at myabc.com

Jeff Wolfe wolfe at ems.psu.edu
Mon Oct 9 08:11:46 CDT 2006


Terry Simons wrote:
> Hi Stuart,
> 
> You are seeing the Response Identity, which, in the case of some EAP 
> types (TTLS and PEAP come to mind) is not required to be the same as the 
> actual username.
> 
> When an 802.1X session is established, the first thing that happens is 
> the creation of the TLS tunnel (in the case of 'secure' EAP types) and 
> the real credentials are sent inside the TLS tunnel.

I believe the RADIUS protocol specifies that if you send back a 
"User-Name" attribute in the access-accept packet, the NAS is supposed 
to use that in the accounting packets instead of whatever the client 
provides as the outer identity. We wrote an authhook for RADIATOR to 
handle that for our Cisco APs and it seems to work pretty well.

The authhook also has the ability to fail an authentication if the inner 
and outer identity as sent by the client don't match, but our users got 
too confused, since most TTLS supplicants automatically set the outer 
identity to "anonymous".

-JEff

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list