>We are going to proxy EAP to another site with all freeradius (we are using >2.1.4, another site using 1.x), but there are some interest problems >occurred, details are as follows: > >Our site only accept non @domain format for inner EAP tunnel >authentication since user DB only store user name without suffix, (as I >previous post, replier said that cannot change the EAP user name by terminal >home server even using unlang or strip on proxy.conf, so I give up to >chanage the inner EAP user name in our terminal home radius). > >But the administrator of another site which connect with us said that their >user name store in file/DB also non suffix but can using @domain to pass >the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how >and why, but after testing, I can using anonym...@aaa.net as user name of >outer EAP tunnel and us...@aaa.net as user name of inner EAP tunnel to pass >the authentication,
That's fine. >and then I try to remove the suffix from inner EAP user >name or change the outer user name in client EAP supplicant And why would you want to do a thing like that? Just leave it alone. >(in our site >change outer user name is accept, you can use any outer user name since >proxy server only care suffix) , it get fail, so do you think that how about >the user name actually store in another site DB, is it without suffix or >with it? But if it is all without suffix, why I cannot login with non suffix >user name of inner EAP tunnel? Why do you care what is stored on their database? It's none of your concern. You just proxy unaltered usernames to them. > >And how can remove the suffix in inner EAP tunnel while authentication? By using suffix module in freeradius (enabled by default). You just configure aaa.net as a local realm in proxy.conf. >Or all account have suffix in another site DB. That is also possible. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html