Stefan Winter wrote: > Ah, I found something about that. strongswan forwards the EAP message in > RADIUS, and both of EAP-Resp/Identity and consequently User-Name are set > to the *IP address* of the connecting client (the non-tunnel one). > This looks like > > rad_recv: Access-Request packet from host 158.64.1.13 port 33044, > id=199, length=97 > User-Name = " \001\n\030\000\000\004\003aW\025����\353" > EAP-Message = 0x020000150120010a1800000403615715fda1b3aeeb > > when the client's public IP address is 2001:0a18:0000:0403:...
That is an absolutely horrible thing to do. They should fix that ASAP. > We're still tryinto stop that from happening. Either it's windows > which thinks it has to identify itself with its IP address (even though > we're PEAPing here, and "Enable identity privacy" is set - so it is > explicitly told to use that string to authenticate), or it's strongswan > making this up by itself. > > Anyway, not a FreeRADIUS problem. I've had conversations with the Strongswan people, and met them in person. So if you have issues, CC me in email... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html