OK, I think I'm another step closer now. I made the suggested change and there was no change in the logs. EAP still was not being done on the local machine and was failing on the proxy. However, I tried creating a second domain, set the original domain to go to LOCAL and the second domain to go to the proxy server. When I do that the proxy properly authenticates to Open Directory, step one. However, eventually I get a failure in rlm_eap again.
modcall: entering group authenticate for request 8 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler
Am I on to the beginning of a solution by using two domains or do I need to go back and then change something else?
Can you post both debugs from the server that is terminating eap. You can start with the request before it decides to proxy (you can leave out eap-tls tunnel creation). Ivan Kalik Kalik Informatika ISP