On 25/10/2013 18:18, Alan DeKok wrote:
Phil Mayers wrote:
We have a need to run the post-auth section on proxied peap/ttls inner (proxied as EAP - none of the crazy packet mangling hacks). 2.x doesn't do this, I haven't checked 3.x but assume it's unchanged?
Actually, 2.2.1 should do this.
I've tried a few crazy hacks in the source but it all explodes; does anyone have any insight into what needs doing?
Magic. It's always magic.
I'm having a *really* hard time understanding how this works at all; I don't get how the code in peap.c:~1126 actually causes a proxy request to be sent; ultimately it's all called via rad_authenticate, which only seems to check/process request->proxy after authorize, when rlm_eap does all it's work in authenticate. Put another way - the original PEAP request containing the PEAP inner comes into rad_authenticate via listen.c - I don't see how, once TLS is decoded and peap.c has run the fake request via the inner tunnel server, how the proxy packet gets sent and replied to. (The reason for wanting to know this is to understand where to put the processing code so that the "fake" can be pushed through post-auth correctly without breaking "proxy as non-EAP" workaround)