On 17 Oct 2017, at 18:46, work vlpl <thework.vlpl@gmail.com> wrote:
Hello, I am using v3.0.x branch and want to know is it possible to make proxy request to another freeradius/radius server after proxy radius server successfully handle request in eap module?
Should be possible, just call eap in authorise with method override. i.e. authorize { eap if (&control:Auth-Type == EAP) { eap.authenticate } } The trick there is determining when EAP has actually finished. I'd look and see if the return code of eap.authenticate changes on the final round after the user has been accepted, and use that as the trigger to proxy the final request to an upstream server. eap.authenticate if (ok) { update control { Proxy-To-Realm := 'foo' } } If the return code doesn't change, then the outcome might be available somewhere else, but that'd require some digging. I don't think the inner tunnel runs for EAP-TLS? At least there's no reason for it to. The other thing would be to check and see if the cert authorisation virtual server runs right before the Accept is returned... It might. In which case you can stick your Need-Remote-Call in the outer.session-state list and check for it in the outer server. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2