On Tue, Jan 12, 2016 at 04:35:36AM +0000, David Lord wrote:
The problem I’m experiencing is that the eap_peap submodule does set FreeRADIUS-Proxied-To, but eap_ttls does not. In v2, both submodules did. Unfortunately I’m currently relying on this attribute for tunnelling in one server.
I believe the plan is to scrap FreeRADIUS-Proxied-To, which is a left-over from version 1 which didn't have virtual servers.
authorize { split_user_realm choose_eduroam_proxy # reject invalid realm, set Proxy-To-Realm to national federation or do nothing so it goes internally eap_eduroam if (“%{%{FreeRADIUS-Proxied-To}:-}” == 127.0.0.1) { # inner tunnel: ensure user exists in LDAP and is permitted access user_search # includes ldap_central and sets auth-type if appropriate } }
authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type ldap_central { ldap_central }
eap_eduroam }
Is this your outer or inner virtual server? It looks like you're trying to mix the two.
The result is that PEAP and various non-tunnelled EAPs authenticate correctly, but TTLS never enters the if-block and so no Auth-Type is ever set.
If my need isn’t utterly terrible, would it be possible to re-add FreeRADIUS-Proxied-To to eap_ttls?
I don't understand why you need it. If you have an outer (default) virtual server and an inner-tunnel virtual server, then by definition the inner-tunnel will be local traffic only, so you don't need to check for FreeRADIUS-Proxied-To. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>