Alan, Thanks for all the help! I need to modify my question. I am using mschapv2 inside ttls tunnel. Upon receipt of the MS-CHAP2-Success AVP, the client is able to authenticate the FR. If the authentication succeeds, the client sends and EAP-TTLS packet to FR containing no data. Only upon receiving this packet, FR authorize. But at this point, the request packet contains no inner tunnel identity. Is there anyway to config FR to authorize according to the inner-tunnel indentity in this case?
Regards, Gina -----Original Message----- From: freeradius-users-bounces+gina.zhang=alcatel-lucent....@lists.freeradius. org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent....@lists.fre eradius.org] On Behalf Of Alan Buxey Sent: Tuesday, February 23, 2010 3:41 AM To: FreeRadius users mailing list Subject: Re: Authorization through inner identity Hi, > Alan, > > All I want to do is to use inner username to lookup the database table > to authorize. so long as you call the relevant SQL module in the authorize {} section of innter-tunnel then the default config will work fine for you. - once the server is in inner-tunnel (called via EAP) it will only be dealing with the inner username (unless you've done something crazy/weird with the config!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html