Alexander Clouter wrote:
If you use the 'virtual_server' functionality in the ttls{} section of eap.conf, everything works great if you get an Access-Accept from the inner virtual server ('auth' for me). When I say "works great", I mean the 'post-auth' section of the EAP calling ('auth-eap') virtual server is munched through. However, if 'Access-Reject' is returned then 'post-auth' is not parsed and it bombs immediently back out to the to outer virtual server's ('dot1x') post-proxy section.
Yes.
Any suggestions, it would be nice if on Access-Reject that post-auth section was passed in 'auth-eap'.
That takes source code patches. Part of the issue is that the server *pretends* that the inner session is a separate authentication request. But actually treating it as separate is hard. So the TTLS && PEAP module fake it, and sometimes don't do a good job. This involves copying some more code from the server core into the modules. Alan DeKok.