I am running FreeRadius version 2.1.7-7 I am doing clear-text password authentication against Active Directory using ntlm_auth. Then ldap is used for group checking. Finally, I have moved my policies to postauth_users in the postauth group. This clear-text functionality works fine.
However, when I test PEAP using eapol_test authentication also works fine, but the ldap group checking occurs only on the outer-tunnel username. In this case, the outer tunnel is created using the username "anonymous". This user doesn't exist in AD, so a failure is the response. In inner-tunnel post-auth I have this snippet: update outer.reply { User-Name = "%{request:User-Name}" } My understanding was that this should copy the real username from the inner tunnel to the outer tunnel. This should then allow ldap groupcheck to test the correct username. I never see a ldap check on the inner tunnel at all. I see this strange output in debug in relation to the snipet above: [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} expand: %{request:User-Name} -> radius_user ++[outer.reply] returns noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "radius_user" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "radius_user" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later I would think that outer.reply should return ok or something other then noop. Looking forward to any help with getting ldap group check working on the inner tunnel username. Jason Fenner, CCNP Network Engineer & Storage Administrator Vita-Mix Corporation 8615 Usher Road, Cleveland, Ohio 44138 +1 (440) 782-2603 | jfen...@vitamix.com IT Support: +1 (440) 782-2222 eMail: helpd...@vitamix.com CONFIDENTIALITY NOTE: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and protected from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify me by telephone and permanently delete the original and any copy of this e-mail and destroy any printout thereof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html