Michael Griego <[EMAIL PROTECTED]> wrote: > This really sounds like a fundamental design problem ("problem" used > lightly in this case) in EAP-TTLS. The only UserID that the NAS (Access > Point) knows about is the one sent to the initial EAP-Identity request.
Absolutely. > The only way I can see to get around this problem easily is to, after > the fact, correlate the authentication logs with another attribute in > the accounting requests. CallingStationID is the best one that comes to > mind right off the bat, since this should be unique to the session. That's probably the best one to use. > It would be nice if there were a way to feed the true username to the AP > after the full EAP-TTLS conversation has completed, like an attribute in > the final Access-Accept response from the RADIUS server. To my > knowledge, however, there are no mechanisms for this in the standards, > and this would require firmware upgrades on the access points. The EAP standard allows for this. RFC 2869, top of page 11. The Access-Accept from the server can include a User-Name attribute, which the NAS should use in all subsequent accounting requests. I'm not sure if this would work for TTLS, bu it would be useful to try. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html