hi,

got a small question for those used to xlate etc.  I have a development/test 
setup
here which is happily authenticating via EAP/TTLS and PEAP. however, what
I am seeing is that Windows users using PEAP are having their real name logged
and recorded, whereas the Mac TTLS and Windows TTLS folk are being recorded
as [EMAIL PROTECTED] - ie the outer layer is being recorded as their username
(the inner layer username is happily being used for the authorization stage
so all is okay....but the NAS and authentication/accounting SQL are filled with
the [EMAIL PROTECTED]

now, the Windows PEAP users also have [EMAIL PROTECTED] as their outer ID but
I believe its the 'Windows is a bit leaky with inner credentials' issue that
is allowing their real ID to be caught and logged. 

whats the recommended way of fixing this? what have other people done to fix 
this?
enabling features such as  use_tunneled_reply  and  log_stripped_name havent
helped... I am thinking that xlate is the way to go  

oh, and currently the RADPOSTAUTH table is showing the real ID and the 
anonymous ID
which isnt helping the NAS which receives the anonymous part last.  do I simply 
drop
or discard the anonymous part when it gets to this proxy box?

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to