On Oct 17, 2017, at 3:26 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Should be possible, just call eap in authorise with method override.
i.e.
authorize { eap
if (&control:Auth-Type == EAP) { eap.authenticate } }
Oh god... that might actually work. You'd also have to delete the Auth-Type := EAP, too. And maybe add an "Auth-Type noop", with a "noop" thing there. Because the server really does expect to run an authenticate method.
The trick there is determining when EAP has actually finished. I'd look and see if the return code of eap.authenticate changes on the final round after the user has been accepted, and use that as the trigger to proxy the final request to an upstream server.
eap.authenticate if (ok) { update control { Proxy-To-Realm := 'foo' } }
That should work. The EAP module returns "ok" only when the user is authenticated. The other problem is that the reply from the home server will over-ride the reply from the EAP module. So you have to cache the EAP reply (just one EAP-Message), and re-add it after you get the reply from the home server. I'll see if I can do some testing today...
If the return code doesn't change, then the outcome might be available somewhere else, but that'd require some digging.
I don't think the inner tunnel runs for EAP-TLS? At least there's no reason for it to.
It's allowed for identity privacy. i.e. use an anonymous outer ID, and then send the certificate via the inner-tunnel. Alan DeKok.