06-08-2015 08:35 AM
When authenticating users via our FreeRadius service, I've got acces to the EAP inner-tunnel User-Name attribute, so I can check that its a valid format e.g.<userid>@york.ac.uk, or block access for individual users. With the eduroam network, the correct way to configure your client machine is to have your "realm" as the outer User-Name ( @york.ac.k in our case) and use your real userid in the inner-tunnel. The outer User-Name is therefor only "routing" information if you are at a remote site so you don;t need to have the user component bit before the "@".
While you should be able to use the chargeable-user-identity to disconnect offending users at remote sites, sometimes its good to control access using the inner-tunnel User-Name.
Can't see any way of generating Roles or setting up enforcement policies based upon inner-tunnel User-Name attribute. Is this possible?
06-08-2015 04:36 PM - edited 06-08-2015 04:40 PM
You were able to see the inner identity for visiting users? That doesn't seem right.
Radius:IETF:User-Name should give you the inner identity for your local users.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP