What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it.
This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server.
Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server.
You can only do PAP on the remote server if your inner auth method was PAP. Basically, this means EAP-TTLS/PAP.
Doing that is simple:
server inner-tunnel { authorize { update control { Proxy-To-Realm := THEREALM } } }
If this isn't working, send a debug from "radiusd -X"
Many thanks Phil, that now works a treat. For other folks, the main trip up I had was the eapol config. Originally I had: network={ eap=TTLS eapol_flags=0 key_mgmt=IEEE8021X identity="testuser" password="testpassword" ca_cert="/home/carla/ca.pem" phase2="auth=TTLS" } As per the original page, but I really needed: network={ eap=TTLS eapol_flags=0 key_mgmt=IEEE8021X identity="testuser" password="testpassword" ca_cert="/home/carla/ca.pem" phase2="auth=PAP" } The "phase2" indicating the "inner" protocol. Obvious when you know!