Le 12/06/12, Alan DeKok <aland@deployingradius.com> a écrit :
Emmanuel BILLOT wrote:
> Could you explain what is the difference between the default file and
> the inner-tunnel file in /etc/raddb/site-enabled ?

  This is documented in the comments at the top of the files.

  The "default" virtual server handles normal RADIUS traffic.  However,
some EAP types set up a TLS tunnel between the PC and the RADIUS server.
The data *inside* of the TLS tunnel has to be authenticated.

  So... it's run through the "inner-tunnel" virtual server.
Hi,

Ok that's what i read from you on another post.


> When running in debug mode, i see sometimes
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> and
> sometimes
> # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel

  Not "sometimes".  That is a very bad way to think about it.  The debug
log shows *exactly* what the server is doing.  Read it slowly, it will
make sense.
Sorry i didn't use correct words. I tried to follow each line in a radiusd -X output.

It begins with a a complete request, and the authorize section.
Parsing each authorize mechanism, only eap doesn't return "noops".

A first question : the default file says

eap {
 return ok
}

EAP request comes with EAP message and is so captured by the eap authorize section, right ?
It returns an update of the original request with Auth-Type = EAP

I can't understand why there is then one second authorize check.


> Is there any docs about the complete processing of EAP authentication ?

  Nope.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57