Michael Griego <[EMAIL PROTECTED]> wrote:
> This really sounds like a fundamental design problem ("problem" used
> lightly in this case) in EAP-TTLS. The only UserID that the NAS (Access
> Point) knows about is the one sent to the initial EAP-Identity request.
Absolutely.
> The only way I can see to get around this problem easily is to, after
> the fact, correlate the authentication logs with another attribute in
> the accounting requests. CallingStationID is the best one that comes to
> mind right off the bat, since this should be unique to the session.
That's probably the best one to use.
> It would be nice if there were a way to feed the true username to the AP
> after the full EAP-TTLS conversation has completed, like an attribute in
> the final Access-Accept response from the RADIUS server. To my
> knowledge, however, there are no mechanisms for this in the standards,
> and this would require firmware upgrades on the access points.
The EAP standard allows for this. RFC 2869, top of page 11. The
Access-Accept from the server can include a User-Name attribute, which
the NAS should use in all subsequent accounting requests.
I'm not sure if this would work for TTLS, bu it would be useful to
try.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
