Super Contributor II

Access to clearpass inner-tunnel User-Name attribute

When authenticating users via our  FreeRadius service, I've got acces to the EAP inner-tunnel User-Name attribute, so I can check that its a valid format e.g.<userid>, or block  access for individual users. With the eduroam network, the correct way to configure your client machine is to have your "realm" as the outer User-Name ( in our case) and use your real userid in the inner-tunnel. The outer User-Name is therefor only "routing" information if you are at a remote site so you don;t need to have the user component bit before the "@".


While you should be able to use the chargeable-user-identity to disconnect offending users at remote sites, sometimes its good to control access using the inner-tunnel User-Name.


Can't see any way of generating Roles or setting up enforcement policies based upon inner-tunnel User-Name attribute. Is this possible?






Guru Elite

Re: Access to clearpass inner-tunnel User-Name attribute

You were able to see the inner identity for visiting users? That doesn't seem right.


Radius:IETF:User-Name should give you the inner identity for your local users.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Super Contributor II

Re: Access to clearpass inner-tunnel User-Name attribute

No not visiting users, you can't see that, for our users either on site or auths coming in from external sites

Sent from my iPhone 6 plus
Search Airheads
Showing results for 
Search instead for 
Did you mean: