Alan DeKok wrote:
Arran Cudbard-Bell wrote:
And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone.
I'm not sure why that matters. the *NAS* sets User-Name in the Access-Request. The proxying server doesn't have to do anything.
Well it needs to be able to read an identity of *some* kind, else how would it know where to proxy the packets to . Just saying it's not technically EAP aware in proxying mode, it doesn't matter, just academic discussion :)
Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity.
The "post-auth" section is run in the outer identity, so you can re-write the reply to be whatever you want.
Yes but it still needs to grab various attributes from the SQL database, and I thought a different query was run for post-auth ... as in the one that logs reply packets ;) ? Maybe i'll move the defaults stuff to post-auth, as defaults set attributes using = , so can't overwrite anything set ealier in Authorize.... just fill in the blanks.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900