rosect...@yahoo.com wrote: > I have two users (u1 and u2) and want to use PEAP to auth them. For each > user, I will return an attribute. For example, attr1 for u1 and attr2 > for u2. > > An interesting thing is that, when my out-tunnel user name is > "anonymous", I do not see any attribute be returned although the auth is > successful.
Because you have configured "use_tunneled_reply". See eap.conf. > Further testing shows, if I use user2's name (u2) as user1's out-tunnel > name and use user1's name (u1) as user2's out-tunnel name, user1 will > receive attri2 and user2 will receive attr1. It seems that the server > picks attributes based on the out-tunnel name, not the real user name. Yes... that's what you told it to do. If you want different behavior in/out of the tunnel, *configure it*. That's why the "default" virtual server is different from the "inner-tunnel" virtual server. Their configuration is similar so that first installs are simple. But you can change them and edit them to meet your needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html