Matt Ashfield wrote:
Hi All I doubt my original post was doable, , it probably doesn't make sense to ask FR to be able to force Inner=Outer identity. In that case, would it be possible to perform authorization based on the Inner identity instead of the Outer identity?
Sure. See the "copy_request_to_tunnel" (which you may need) and "use_tunneled_reply" (which you will need) config option on the particular EAP type you're using, and put something like this into play:
DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type = "INNER"
...then in authorize:
authorize {
preprocess
files
Autz-Type INNER {
sql/ldap/files_2/whatever adds the vlan tag
}
}