terminating EAP tunnels, proxy and realms

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sun Jun 24 22:51:01 CEST 2007


Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>   
>> I was just looking at the protocol filters, they look interesting and 
>> will make a lot of people on the list happy ...
>>     
>
>   rlm_protocol_filter?  I put that in 2 years ago, and I didn't think
> anyone was using it...
>
>   
Well it's a little obscure, it's not included in the default 
radiusd.conf file ?
I guess if it's just working off EAP-Type then it's functionality can be 
replicated in unlang ...
I've just seen a few requests with people saying how can I limit EAP to xyz.

Can you clear something up for me with inner/outer identity. The outer 
identity is in the User-Name attribute , it's a standard RADIUS 
attribute... Inner identity is encoded in the EAP message, and is pulled 
out by the EAP module prior to internal proxying and set as the 
User-Name attribute (which should overwrite the User-Name attribute in 
the request) ?

And it's standard practice to leave the outer identity as anonymous, as 
the only communication between the NAS and the Supplicant is EAP based 
when using EAPOL, and so the NAS would have to understand EAP to be able 
to extract  the User-Name string and write it into the Access-Request 
packet ?

So although the NAS  must send an EAP-Identity-Request when the client 
connects it's not required to understand the EAP-Identity-Response ?

Thanks,
Arran






More information about the Freeradius-Users mailing list