(RADIATOR) anonymous at myabc.com
Jeff Wolfe
wolfe at ems.psu.edu
Mon Oct 9 08:11:46 CDT 2006
Terry Simons wrote:
> Hi Stuart,
>
> You are seeing the Response Identity, which, in the case of some EAP
> types (TTLS and PEAP come to mind) is not required to be the same as the
> actual username.
>
> When an 802.1X session is established, the first thing that happens is
> the creation of the TLS tunnel (in the case of 'secure' EAP types) and
> the real credentials are sent inside the TLS tunnel.
I believe the RADIUS protocol specifies that if you send back a
"User-Name" attribute in the access-accept packet, the NAS is supposed
to use that in the accounting packets instead of whatever the client
provides as the outer identity. We wrote an authhook for RADIATOR to
handle that for our Cisco APs and it seems to work pretty well.
The authhook also has the ability to fail an authentication if the inner
and outer identity as sent by the client don't match, but our users got
too confused, since most TTLS supplicants automatically set the outer
identity to "anonymous".
-JEff
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list