Arran Cudbard-Bell wrote:
And indeed as the RFC states, the User-Identity needs to be set in the access requests for none EAP aware proxies. I suspect FreeRADIUS may count as one of these, as for all intensive purposes as it provides no mechanism to proxy arbitrary segments of an EAP conversation on inner identity alone.
I'm not sure why that matters. the *NAS* sets User-Name in the Access-Request. The proxying server doesn't have to do anything.
Reason why I was asking is because most of the tests on the JRS test website seem to break when you base the reply in FreeRADIUS, on the inner identity as opposed to the outer identity.
The "post-auth" section is run in the outer identity, so you can re-write the reply to be whatever you want. Alan DeKok.