Hi, > We are trying to use Freeradius to do PEAP/MSCHAPv2 > authentication against Active Directory (2003). Our realm is > abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has > to use [email protected] instead [email protected] as username.
you shouldnt send your own sub domains up to the national level - hopefully they have picked up on issues that older eduroam federations have had in the past....it can be the cause of loops... hopefully the national level has loop detection mechanisms for if an end site does something silly. it would be shame if they are stopping you from using sub-realms...its quite common elsewhere... but anyway, you shouldnt need to worry, the outerid is just like the address on an envelope....to get the RADIUS request back to YOUR RADIUS servers. once it gets there, the EAP tunnel is created and the innerID is exposed..and that can be whatever you want - with realm or without realm. you can also adjust the ntlm_auth command to send whatever realm you want locally to the AD of course, could have issues with older clients where you cannot adjust outerID > My question is can you modify the realm behind the user's back? > (during EAP process). the username does not need to be used as-is..generally you could (and many do!) use the Stripped-User-Name in the ntlm_auth stage alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
