eap_ttls not setting 'FreeRADIUS-Proxied-To'

[A.L.M.Buxey at lboro.ac.uk]

Hi,

> What I’ve ended up with is two virtual servers, inner and outer. Outer will always set all attributes, and then runs a custom attr_filter which keys on %{client:shortname}* and removes the private attributes from the clients with the wrong names.

not ideal. as what you are doing is a lot of LDAP or scripts etc to find group membership
assign VLAN etc etc ....and then stripping them out.

for efficiency, use virtual servers..

one pair - lets say 'default and inner-tunnel'  for all your inside stuff.....

for requests from the outside world, use a new pair eg

eduroam and eduroam-inner-tunnel  - these can be almost direct copies of the default and inner-tunnel
but a different eap config is used by the 'eduroam' to ensure that calls go to eduroam-inner-tunnel
for EAP...   then you just set virtual_server = eduroam  for those 3 clients

the efficiencies here

1) you dont need to check the User-Name is valid - the remote proxy only sends good stuff to you - thats
a lot of regex etc removed

2) you can block non-EAP for remote auths easily - allowing you to run your server for all internal stuff without
clashing with external policies - you can have any internal policy you want

3) avoid checking eg LDAP for group memberships for settings VLAN - as its not going to be used

4) can call eg CUI for these external requests to generate such attributes (if you have no need to do this internally)

5) no need to worry about filtering certain attributes as you havent set them

6) using seperate virtual servers for seperate functions is best common practice and
keeps the config far easier with less weird if/else/elsif and dealing with all sorts of
strange corner cases - making eg upgrade from 2.x to 3.x a lot easier

7) using a seperate virtual server in cofnig means we can look at providing a 'ready to go template'
for eduroam authentications without affecting your own internal config ;-)

alan