(RADIATOR) anonymous at myabc.com
Stuart Kendrick
skendric at fhcrc.org
Mon Oct 9 10:36:13 CDT 2006
hi jeff,
i see ... something like:
AddToReply User-Name = "%n"
i shall try that out during my next outage window, thanx
--sk
Jeff Wolfe wrote:
> Terry Simons wrote:
>> Hi Stuart,
>>
>> You are seeing the Response Identity, which, in the case of some EAP
>> types (TTLS and PEAP come to mind) is not required to be the same as
>> the actual username.
>>
>> When an 802.1X session is established, the first thing that happens is
>> the creation of the TLS tunnel (in the case of 'secure' EAP types) and
>> the real credentials are sent inside the TLS tunnel.
>
> I believe the RADIUS protocol specifies that if you send back a
> "User-Name" attribute in the access-accept packet, the NAS is supposed
> to use that in the accounting packets instead of whatever the client
> provides as the outer identity. We wrote an authhook for RADIATOR to
> handle that for our Cisco APs and it seems to work pretty well.
>
> The authhook also has the ability to fail an authentication if the inner
> and outer identity as sent by the client don't match, but our users got
> too confused, since most TTLS supplicants automatically set the outer
> identity to "anonymous".
>
> -JEff
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list