On 5 Aug 2016, at 11:36, Brian Julin <BJulin@clarku.edu> wrote:
Wussler, Doug wrote:
Perhaps there is something else I don¹t understand but it does not look like ³use_tunneled_reply² in the eap module is really deprecated. I can¹t get anything to work without that.
It's been removed in the 3.2.x devel branch.
I'm not sure how recent you have to be to get by without it,
Use the outer.session-state list to build the reply, and copy the contents across in post-auth. It’ll work in v3.0.x too and is less magical. # Outer post-auth { update { &reply: += &session-state:[*] } } From an architectural point of view the option was wrong, and was preventing us from moving to a clean design for protocol nesting. When you proxy to the inner tunnel, what you’re actually doing is decoding the TLVs from the EAP method, and creating a fake request with them, so the reply list from the inner tunnel server should be encoded as EAP method TLVs, it shouldn’t contain any RADIUS attributes, only EAP method attributes. This is important for things like the SoH module, which can actually run equally well with DHCP or PEAPv0. In terms of usability improvementsWe could also represent session-state as a request qualifier i.e. session.reply That’d allow all lists to be represented, and maybe the reply to be automatically merged? Does seem a bit more friendly. -Arran