2008/9/2 Ivan Kalik <tnt@kalik.net>:
You are using outdated version of the server which doesn't support virtual servers. In current version eap is processed by the default virtual server while inner tunnel is processed by - inner-tunnel virtual server. If you don't want to upgrade you can emulate this by using - real ones.
Set up another radius server with identical configuration which will process inner tunnel requests. Add realm inner-tunnel to the current server proxy.conf which will proxy requests to the new server. Add this to users file:
DEFAULT FreeRADIUS-Proxied-To = 127.0.0.1, Proxy-To-Realm := "inner-tunnel"
In that way stripped username will be sent to inner-tunnel server for authentication (which you have showed to work). You can't simply rewrite User-Name with Stripped-User-Name in your current setup because EAP will fail.
Ivan Kalik Kalik Informatika ISP
Thank you for the detailed analysis and explanation. For now I think I'll stick with the Apple supplied version of radiusd - perhaps Mac OS X Server 10.5.5 will include a newer radiusd(!) - When Apple (or I) updates to the current version of radiusd, will my current configuration then work as expected or how will I need to alter the configuration? This morning I found an acceptable workaround that I will stick to for the moment: That is to create an alias for the user in the Open Directory. The user "u1" is now also known as "u1@voneyben.net" hence it will be authenticated ;-). I "only" need to alter a few houndred users (need to make a script i guess :), but I'll get a "cleaner" setup by only being dependant upon _one_ server for the radius authentication. Thank you again for you anlysis! - TvE