terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Sun Jun 24 22:51:01 CEST 2007
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>
>> I was just looking at the protocol filters, they look interesting and
>> will make a lot of people on the list happy ...
>>
>
> rlm_protocol_filter? I put that in 2 years ago, and I didn't think
> anyone was using it...
>
>
Well it's a little obscure, it's not included in the default
radiusd.conf file ?
I guess if it's just working off EAP-Type then it's functionality can be
replicated in unlang ...
I've just seen a few requests with people saying how can I limit EAP to xyz.
Can you clear something up for me with inner/outer identity. The outer
identity is in the User-Name attribute , it's a standard RADIUS
attribute... Inner identity is encoded in the EAP message, and is pulled
out by the EAP module prior to internal proxying and set as the
User-Name attribute (which should overwrite the User-Name attribute in
the request) ?
And it's standard practice to leave the outer identity as anonymous, as
the only communication between the NAS and the Supplicant is EAP based
when using EAPOL, and so the NAS would have to understand EAP to be able
to extract the User-Name string and write it into the Access-Request
packet ?
So although the NAS must send an EAP-Identity-Request when the client
connects it's not required to understand the EAP-Identity-Response ?
Thanks,
Arran
More information about the Freeradius-Users
mailing list