Hello Peter, Try to look at "attr_filter" section and configure it as you wishes: In your radiusd.conf:
attr_filter attr_filter.post-proxy { attrsfile = ${some path}/attrs.post-proxy }
This file may contains similar information:
DEFAULT User-Name =* ANY, Reply-Message =* ANY, State =* ANY, Class =* ANY, Message-Authenticator =* ANY, Calling-Station-ID =* ANY, Proxy-State =* ANY, EAP-Message =* ANY, MS-MPPE-Recv-Key =* ANY, MS-MPPE-Send-Key =* ANY, MS-CHAP-MPPE-Keys =* ANY
State and EAP-Message are needed for EAP. User-Name is for proxying to the right destination. If you do not put "User-Password" in this file, you will have this argument removed. Some institition will do PEAP instead of EAP-TTLS. It's most likely a bad idea to do processing on EAP-Message. Regards, Vincent Peter Eriksson <peter@ifm.liu.se> a écrit :
One thing I'd like to achive in the "EDUROAM"-responsible RADIUS "router" (server) is to make sure that *only* EAP-TTLS requests are forwarded to the RADIUS server doing the real user authentication.
Anyone got something already configured that I could copy?
Ie, I would like to make sure that it will reject requests that come in from the outside with user+password stuff sent in cleartext.
(And also make sure itself won't send out such requests).