question re inner tunnel / virtual server
Hi *, i try to get a better grip in understanding the virtual server for inner eap tunnel. Please forgive if any of the following statements represents misunderstanding of concepts from my side. Which of the following statements describe the inner tunnel virtual server for EAP wrong / correct ? EAP: -The eap module can map tunneled requests to a virtual server ( inner tunnel ) - It "knows" where to communicate by freeradius reading the virtual servers configs in sites-enabled -So the Port configured for the inner tunnel virtual server (statement valid only for this inner tunnel VS) is only relevant wrt external for testing purposes in order to test correct freeradius config wrt EAP -freeradius handles the communication to the inner tunnel with the above mentioned mapping of the eap module. So in productive use there is no need to reference the Port for the inner tunnel ( except when proxying or using the test for EAP to check for a valid config ) -the main goal of the inner tunnel virtual server is to allow completely independent policies for outer / inner tunneled sessions. hope i did not fall for to many misunderstandings TIA Micha
Michael Arndt wrote:
i try to get a better grip in understanding the virtual server for inner eap tunnel.
The TLS-based EAP methods involve setting up a TLS tunnel between the client PC and the RADIUS server. Processing of the TLS tunnel is done by the "default" virtual server. Just the same as CHAP, PAP, EAP-MD5, etc. Once the TLS tunnel is set up, authentication data is sent inside of the tunnel. The server treats this data just as if it was another authentication request, *but* processes it through the "inner-tunnel" virtual server. This allows the inner-tunnel policies to be different from the ones for the "default" virtual server. The policies *should* be different because it's a different kind of authentication: inside of a TLS tunnel.
-The eap module can map tunneled requests to a virtual server ( inner tunnel )
That's vague to the point of being meaningless. What's "map" ?
- It "knows" where to communicate by freeradius reading the virtual servers configs in sites-enabled
I have no idea what that means.
-So the Port configured for the inner tunnel virtual server (statement valid only for this inner tunnel VS) is only relevant wrt external for testing purposes in order to test correct freeradius config wrt EAP
That sounds right.
-freeradius handles the communication to the inner tunnel with the above mentioned mapping of the eap module. So in productive use there is no need to reference the Port for the inner tunnel ( except when proxying or using the test for EAP to check for a valid config )
No. Proxying has nothing to do with the "listen" section in the inner-tunnel.
-the main goal of the inner tunnel virtual server is to allow completely independent policies for outer / inner tunneled sessions.
Yes. When trying to understand things, keep the descriptions concrete, and fact-based. Saying requests can "map" to something is vague. Alan DeKok.
participants (2)
-
Alan DeKok -
Michael Arndt