terminating EAP tunnels, proxy and realms

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Mon Jun 25 16:48:30 CEST 2007


Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> And indeed as the RFC states, the User-Identity needs to be set in the 
>> access requests for none EAP aware proxies. I suspect FreeRADIUS may 
>> count as one of these, as for all intensive purposes as it provides no 
>> mechanism to proxy arbitrary segments of an EAP conversation on inner 
>> identity alone.
> 
>   I'm not sure why that matters.  the *NAS* sets User-Name in the
> Access-Request.  The proxying server doesn't have to do anything.

Well it needs to be able to read an identity of *some* kind, else how 
would it know where to proxy the packets to .

Just saying it's not technically EAP aware in proxying mode, it doesn't 
matter, just academic discussion :)
> 
>> Reason why I was asking is because most of the tests on the JRS test 
>> website seem to break when you base the reply in FreeRADIUS, on the 
>> inner identity as opposed to the outer identity.
> 
>   The "post-auth" section is run in the outer identity, so you can
> re-write the reply to be whatever you want.
> 
Yes but it still needs to grab various attributes from the SQL database, 
and I thought a different query was run for post-auth ... as in the one 
that logs reply packets ;) ?

Maybe i'll move the defaults stuff to post-auth, as defaults set 
attributes using = , so can't overwrite anything set ealier in 
Authorize.... just fill in the blanks.

>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900



More information about the Freeradius-Users mailing list