Le mercredi 06 février 2008, Alan DeKok a écrit : > Thierry CHICH wrote: > > With the previous release of freeradius 1.1.7, I could do the following > > things: > > - people with a correct outer identity and inner identity > > (login/password) could be authorized and authenticate on a LDAP server, > > using an EAP-TTLS tunnel, obtained a WPA key. > > - with the same radius server, I could authenticate people with EAP-PEAP > > and mschapv2 on a sql database. > > 2.0.1 can do this, too.
I didn't really think it can't do that. > > It was nice, but I had a small problem: accounting was done using the > > outer identity. Since I was using the ldap to do the authorization, > > people who put an other valid identity didn't be correctly accounted. > > In 2.0.1, see raddb/sites-available/inner-tunnel for comments && > configuration to fix this. Or, the other reply to your message. > > > I always finished by : > > rlm_eap_ttls: Session established. Proceeding to decode tunneled > > attributes. auth: No authenticate method (Auth-Type) configuration found > > for the request: Rejecting the user > > The most common cause for this is that you massively edited the > configuration file without understanding what it was doing. The simple > answer is DON'T DO THAT. I understand that very well. I think that the "massively" is perhaps a little bit exageratted, but I have make a really stupid mistake. I have located it using kdiff3 (thanks to the developper, it is a great tool). It is working better now that I really use inner-tunnel, and not believe that I use it..... Thanks to you. However, it the accounting is always done with the outer identity, even putting the: update outer.reply { User-Name = "%{request.User-Name}" } in the post-auth of inner-tunnel. The DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name := `%{User-Name}`, Fall-Through = yes in the users conf file doesn't work better. I got: Login OK: [EMAIL PROTECTED]/xxxxxxxx] (from client ap-rectorat02 port 0) +- entering group post-auth expand: %{request.User-Name} -> ++[outer.reply] returns noop TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [EMAIL PROTECTED]/<via Auth-Type = EAP>] (from client ap-rectorat02 port 1 cli 00-0E-35-71-04-0C) Sending Access-Accept of id 27 to 172.30.87.66 port 4347 User-Name = "" MS-MPPE-Recv-Key = 0xec76f1095e9ec08db58453397df1c7f6a38acc1bada412e45a538ff6da6b60a5 MS-MPPE-Send-Key = 0xb66e7bc27988a1d193f3cdb520c29a8c4fd6c75b4b5e0b4aaf8da3bda7bff2e6 EAP-Message = 0x031b0004 Message-Authenticator = 0x00000000000000000000000000000000 Do you know why User-Name is empty ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html