On 20 Jul 2011, at 15:40, Phil Mayers wrote:
> On 20/07/11 14:27, Scott Armitage wrote:
>
>> [ttls] Using saved attributes from the original Access-Accept
>> Reply-Message = "Authenticated by Test ORPS"
>
> Ok, looking at the debug the reason this is happening is that you are
> doing TTLS
On 20/07/11 14:27, Scott Armitage wrote:
[ttls] Using saved attributes from the original Access-Accept
Reply-Message = "Authenticated by Test ORPS"
Ok, looking at the debug the reason this is happening is that you are
doing TTLS/MSCHAP, as opposed to TTLS/EAP-MSCHAP.
[ttls] Got tunn
On 20 Jul 2011, at 12:49, Alexander Clouter wrote:
> Scott Armitage wrote:
>>
>> I have noticed that when authenticating using TTLS/MSCHAPv2 that the
>> outer-identity is used in the RADIUS reply packet even if the
>> use_tunneled_reply is set to yes for TTLS in
On 20 Jul 2011, at 13:39, Phil Mayers wrote:
> On 20/07/11 11:26, Scott Armitage wrote:
>> Hi,
>>
>> I have noticed that when authenticating using TTLS/MSCHAPv2 that the
>> outer-identity is used in the RADIUS reply packet even if the
>> use_tunneled_reply i
On 20/07/11 11:26, Scott Armitage wrote:
Hi,
I have noticed that when authenticating using TTLS/MSCHAPv2 that the
outer-identity is used in the RADIUS reply packet even if the
use_tunneled_reply is set to yes for TTLS in eap.conf
That's not what we see:
[ttls] Using saved attributes fro
Scott Armitage wrote:
>
> I have noticed that when authenticating using TTLS/MSCHAPv2 that the
> outer-identity is used in the RADIUS reply packet even if the
> use_tunneled_reply is set to yes for TTLS in eap.conf
>
> Does anyone know the reason for this?
>
TLS sess
Hi,
I have noticed that when authenticating using TTLS/MSCHAPv2 that the
outer-identity is used in the RADIUS reply packet even if the
use_tunneled_reply is set to yes for TTLS in eap.conf
Does anyone know the reason for this?
Thanks
Scott Armitage
PGP.sig
Description: This is a digitally
On Thu, Jun 18, 2009 at 08:30:27AM +0200, Stefan Winter wrote:
> Hi,
>
> > Yes, I am aware privacy is a concern. As I am doing some tests, I
> > thought it would be easier to debug if there's a way to relate a request
> > to a proxied username. This is technically not possible or it's more a
> >
Hi,
> Yes, I am aware privacy is a concern. As I am doing some tests, I
> thought it would be easier to debug if there's a way to relate a request
> to a proxied username. This is technically not possible or it's more a
> political matter?
>
Technically impossible until you break TLS. OR make
Hi,
> I thought the outer-tunnel is set up to secure the connection between the
> user and the authentication server. So the Authentication has access to
> the unencrypted data which it in turn queries proxies to verify the
> received credentials; this data is encrypted using the home-server share
On Wed, Jun 17, 2009 at 01:23:57PM +0200, Stefan Winter wrote:
> The whole concept of inner tunneling and protecting it via TLS is
> *because* you are *not* supposed to see the actual authentication
> credentials. For your local users, you terminate the tunnel yourself and
> can decide to expose th
Hi,
> After uncommenting that in inner-tunnel, I see local users authenticated
> by the LOCAL auth called outer.reply. But this is not the case for
> external users(Realm handled by external proxy).
>
> The latter is what I really want: being able to see which external user
> is authenticating.
On Wed, Jun 17, 2009 at 10:48:07AM +0100, Ivan Kalik wrote:
> This is already present in post-auth in latest version (after a lengthy
> explanation):
>
> #update outer.reply {
> # User-Name = "%{request:User-Name}"
> #}
After uncommenting that in inner-tunnel, I see local users authenticat
t;From this thread:
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-June/msg00576.html
>
> In eap.conf:
> ttls {
>
> use_tunneled_reply = yes
> virtual_server = "inner-tunnel"
> }
>
> In users:
>
> DEFAULT
> U
dius.org/mailman/htdig/freeradius-users/2005-June/msg00576.html
In eap.conf:
ttls {
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
In users:
DEFAULT
User-Name = "%{User-Name}",
Fall-Through = no
Running radiusd
le : Mardi, 10 Juillet 2007, 17h07mn 43s
Objet : use_tunneled_reply
Hello all, can anybody exaplain me the meaning of the attribute
use_tunneled_reply in the peap configuration? what is the difference in
the behaviour of PEAP if I set this option to yes or no?
Thanks in advance.
-
Hi,
> Hello all, can anybody exaplain me the meaning of the attribute
> use_tunneled_reply in the peap configuration? what is the difference in
> the behaviour of PEAP if I set this option to yes or no?
attributes you send back wont get passed if you dont use it.
alan
-
List info/
Hello all, can anybody exaplain me the meaning of the attribute
use_tunneled_reply in the peap configuration? what is the difference in
the behaviour of PEAP if I set this option to yes or no?
Thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Bjarni Hardarson" <[EMAIL PROTECTED]> wrote:
> When i set use_tunneled_reply = yes for PEAP i get an Access-Challenge with
> the correct attributes but the final Access-Accept has no attributes and the
> User-Name is the anonymous one from the outer tunnel. This username
"Bjarni Hardarson" <[EMAIL PROTECTED]> wrote:
> the correct attributes but the final Access-Accept has no attributes and the
> User-Name is the anonymous one from the outer tunnel. This username is then
> used by the AP for accounting.
> Is this by design or is my configuration wrong?
Looks like
Hi all,
I'm using FreeRADIUS with Cisco 1200 Series Access points for dynamic VLAN
assignment.
When i set use_tunneled_reply = yes for PEAP i get an Access-Challenge with
the correct attributes but the final Access-Accept has no attributes and the
User-Name is the anonymous one from the
[EMAIL PROTECTED] wrote:
> Maybe I could use radiusReplyItem as an
> attribute in edir with a value "User-Name = ${User-Name}"?
That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
te in edir with a value "User-Name = ${User-Name}"?
thanks,
mack
- Original Message -
From: Alan DeKok <[EMAIL PROTECTED]>
Date: Saturday, June 18, 2005 4:21 pm
Subject: Re: use_tunneled_reply
> [EMAIL PROTECTED] wrote:
> > > Did you set "User-Name = nov
[EMAIL PROTECTED] wrote:
> > Did you set "User-Name = novelluser" in the *reply* for the tunneled
> > session?
>
> H...I did not explicitly do this. How to?
Set it as a reply attribute?
user blah-blah = blah
User-Name = `%{User-Name}`
> > You can verify that, independent of EAP,
Hi,
> > You can verify that, independent of EAP, but using "radtest" with
> > the name & password of the tunneled user.
>
> I'm testing this now, but don't see the same "Access-Accept" message in
> the debug output. Guess I'm still missing something.
Keep in mind that contrary to the
- Original Message -
From: Alan DeKok <[EMAIL PROTECTED]>
Date: Saturday, June 18, 2005 11:46 am
Subject: Re: use_tunneled_reply
> [EMAIL PROTECTED] wrote:
> > This leads a dunce like me to believe that radius will send a
> reply
> > back to AP/NAS tha
[EMAIL PROTECTED] wrote:
> This leads a dunce like me to believe that radius will send a reply
> back to AP/NAS that has User-Name equaling "novelluser", rather
> than "anonymous".
Did you set "User-Name = novelluser" in the *reply* for the tunneled
session?
You can verify that, independent
w value for User-Name, but it seems it's receiving
exactly what radius is sending it. I thought the
magical "use_tunneled_reply" setting was supposed to fix this? Am I
understanding what "use_tunneled_reply" is actually supposed to do?
Thanks for the patience and the a
So, in eap.conf I changed use_tunneled_reply to equal yes. Still,
> replies to NAS show User-Name = "anonymous". Have I missed
> something?
Run the server in debugging mode to see what's going on.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ted to the backend db (in this case eDirectory). So, in
eap.conf I changed use_tunneled_reply to equal yes. Still, replies to
NAS show User-Name = "anonymous". Have I missed something?
Thanks for the help,
mack
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
30 matches
Mail list logo
