I set in copy_tunnel_reply to yes and I use the inner-tunnel user-name in my default / post-auth.
And I still have the real user-name hidden. In default / post-auth : update reply{ User-Name := "%{request:User-Name}" Tunnel-Medium-Type = 6 Tunnel-Type = 13 Tunnel-Private-Group-Id = `/usr/local/etc/raddb/getVlan %{reply:User-Name}` } It will now work nicely with your fix. Thanks 2009/6/2 Alan DeKok <al...@deployingradius.com>: > a.l.m.bu...@lboro.ac.uk wrote: >> does this fix mean that TTLS and PEAP get the inner identity copied >> correctly so there is no more need for >> >> update outer.reply { >> User-Name = "%{User-Name}" >> } > > That's still needed. The question is what do you want the server to > do. Always over-ride the outer name with the inner one? If so, why is > the outer one "anonymous", and the inner one "u...@realm"? > > i.e. "anonymous" is being used to hide the inner name... which > promptly gets exposed with that rule. Is this a good idea? > > What else could be done to be secure, but also useful? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html