How to convert the Reply-Message as challenge

Sankalp Dubey Sankalp_Dubey at
Tue May 14 13:42:17 CEST 2013


We have a radius server which does not understand EAP and we are using Free Radius as EAP-PEAP-GTC proxy-inner-tunnel.

As the present code does not set User-Password in EAP-PEAP-GTC mode so we made the following code changes:

1. File:  src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c

    In function gtc_initiate(void *type_data, EAP_HANDLER *handler)

    Added following lines with reference to  the src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c file

   #ifdef WITH_PROXY


         *      The EAP session doesn't have enough information to

         *      proxy the "inside EAP" protocol.  Disable EAP proxying.


        handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;


2. We also added the following  functions in rlm_eap_gtc.c file

      static int gtc_postproxy(EAP_HANDLER *handler, void *tunnel_data)

      This functions doesn't seem to be called.

3. gtc_autheticate changes:



         *      If this options is set, then we do NOT authenticate the

         *      user here.  Instead, now that we've added the PAP

         *      attributes to the request, we STOP, and let the outer

         *      tunnel code handle it.


         *      This means that the outer tunnel code will DELETE the

         *      EAP attributes, and proxy the PAP attributes to a

         *      home server.


        if (handler->request->options & RAD_REQUEST_OPTION_PROXY_EAP) {


                 *      Set up the callbacks for the tunnel


                eap_tunnel_data_t *tunnel;

                tunnel = rad_malloc(sizeof(*tunnel));

                memset(tunnel, 0, sizeof(*tunnel));

                tunnel->tls_session = type_data;

                tunnel->callback = gtc_postproxy;


                 *      Associate the callback with the request.


                rcode = request_data_add(handler->request,



                                         tunnel, free);

                rad_assert(rcode == 0);

                pairdelete(&handler->request->packet->vps, PW_STATE);

                return 1;



The modified rlm_eap_gtc.c is attached for reference.

With these code changes we are able to set the User-Password in EAP-PEAP-GTC proxy mode. Also, debug message from gtc_postproxy is not visible in the log file.

However, when the proxied-to RADIUS Server throws Access-Challenge the same is not  forwarded by Free RADIUS to the client i.e. Reply-Message is stripped by Free RADIUS.

Please let us know how to convert the Reply-Message as challenge for the client.

Thanks n regards

Sankalp Dubey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rlm_eap_gtc.c
URL: <>

More information about the Freeradius-Devel mailing list