Deleting VLAN information while proxying

Tomasz Wolniewicz Tomasz.Wolniewicz at
Tue Feb 7 14:28:03 CET 2006

We have the following problem arising form the eduroam project.
Our university radius server sets VLAN information based on user
attributes form the LDAP directory.
This works fine when the system is used internally. However when our
user authenticates while visiting another institution, this VLAN
information should not be sent out. In such a situation, the
authentication request arrives via the national proxy.  We have managed
to configure VLAN blocking for EAP-TLS since then we can use
Client-IP-Address information. If this address corresponds to the
address of the national proxy then we do not set VLAN information at
all. This approach breaks down with EAP-TTLS. The internal proxy
mechanism rewrites the Client-IP-Address to localhost and all requests
look the same.
We could in principle base our decision on huntgroups, creating a
huntgroup for all out NASes, but his looks so clumsy and a mess to
Is there a better trick to solve this?


-- Tomasz Wolniewicz Tomasz.Wolniewicz at Uczelniane Centrum Informatyczne
Information&Communication Technology Centre Uniwersytet Mikolaja
Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl.
Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850
tel kom.: +48-693-032-576

More information about the Freeradius-Users mailing list