Godfrey Peart wrote: > My FR 2.1 is set to authenticate users via PEAP + EAP-TTLS, this works > fine but some users are being rejected > because their wireless client allows the setting of an outer identity: > anonymous or something else, which is not a valid username.
You need to separate the rules for the outer && inner identity. The default configuration has the same "users" file being processed for both the outer && inner sessions. You might need to create a rule to ignore it on the outer tunnel. > So it's being rejected. How do I get the inner identity which contains a > valid username to be processed instead of the outer identity. > I've seen some posts about using* Autz-type INNER* options but have > merely succeded in breaking my test system when tryng it out. Don't use Autz-Type in 2.1.x. "unlang" is better and more powerful. Try editing raddb/sites-enabled/default, and commenting out the "files" line in the "authorize" section. This will skip the "users" file outside of the tunnel. Or, add a separate "files" module, and run that one inside of the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html