Godfrey Peart wrote:
> My FR 2.1 is set to authenticate users via PEAP + EAP-TTLS, this works
> fine but some users are being rejected
> because their wireless client allows the setting of an outer identity:
> anonymous or something else, which is not a valid username.
You need to separate the rules for the outer && inner identity.
The default configuration has the same "users" file being processed
for both the outer && inner sessions. You might need to create a rule
to ignore it on the outer tunnel.
> So it's being rejected. How do I get the inner identity which contains a
> valid username to be processed instead of the outer identity.
> I've seen some posts about using* Autz-type INNER* options but have
> merely succeded in breaking my test system when tryng it out.
Don't use Autz-Type in 2.1.x. "unlang" is better and more powerful.
Try editing raddb/sites-enabled/default, and commenting out the
"files" line in the "authorize" section. This will skip the "users"
file outside of the tunnel.
Or, add a separate "files" module, and run that one inside of the tunnel.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
