Routing new RFC7542-style realms
Alan DeKok
aland at deployingradius.com
Mon Oct 3 16:47:51 CEST 2016
On Oct 2, 2016, at 2:55 PM, Stefan Paetow <Stefan.Paetow at JISC.AC.UK> wrote:
>
>> No, I mean *all* of the logic has to be in unlang. Don't use the realm
>> module at all.
>
> Hmmm, to follow up on this... I've gotten it to route correctly, but on
> the ultimate destination (i.e. at "realhome.realm"), I now get a message
> saying that the EAP Identity does not match User-Name, which then
> subsequently leads to failure. It's not quite unexpected since EAP keeps
> track of what User-Name *should* be.
Yes. The solution is to not mangle the User-Name.
Which means that the home server *must* have the following logic:
if Realm == "example.com" &&
Packet-Src-IP-Address == ip.for.example.com {
look for "realm2|user at ..."
}
I'll put this into my ongoing "RADIUS proxy issues" document.
Alan DeKok.
More information about the Freeradius-Users
mailing list