eap-ttls pap proxy problem

Alan DeKok aland at ox.org
Wed Jul 13 21:19:08 CEST 2005

"Tim Tyler" <tyler at beloit.edu> wrote:
> users:
> DEFAULT Auth-Type := PAP, Proxy-To-Realm = stu
>         Fall-Through = 1

  This makes no sense.  It says "do PAP authentication, but don't do
PAP, do proxy".

> ttls {
> #       default_eap_type = md5
> #	copy_request_to_tunnel = yes
> #	use_tunneled_reply = yes
> }

  I suggest uncommenting those 3 lines.

>     rlm_realm: Preparing to proxy authentication request to
> realm "stu"
>   rlm_eap: Request is supposed to be proxied to Realm stu. 
> Not doing EAP.
>   modcall[authorize]: module "eap" returns noop for request
> 5

  You've sent the server an EAP message, but *also* told it to proxy
the request to realm "stu".  As a result, the server doesn't do PAP,
CHAP, MSCHAP, or EAP.  Instead, it proxies the request to realm "stu",
as you told it to do.

  The solution is to use the "users" file entry I previously sent you:

DEFAULT FreeRADIUS-Proxied-To ==, Proxy-To-Realm := "stu"

  That will proxy the tunneled session, and ONLY the tunneled session
to realm "stu".

  Alan DeKok.

More information about the Freeradius-Users mailing list