terminating EAP tunnels, proxy and realms

[Josh Howlett]

> > Nope; see RFC 3579 for the gory details:
> > 
> > "the NAS MUST copy the contents of the Type-Data field of the 
> > EAP-Response/Identity received from the peer into the User-Name 
> > attribute"
> > 
> 
> See thats what I suspected, else how could the User-Name 
> attribute be populated in the access requests...
> And indeed as the RFC states, the User-Identity needs to be 
> set in the access requests for none EAP aware proxies. I 
> suspect FreeRADIUS may count as one of these, as for all 
> intensive purposes as it provides no mechanism to proxy 
> arbitrary segments of an EAP conversation on inner identity alone.
> Unless I missed something ?

No, that's correct.

> > For the reason given above, it *does* need to understand the 
> > EAP-Identity-Response. But that's about it! The NAS is a 
> pretty dumb 
> > device.
> 
> Reason why I was asking is because most of the tests on the 
> JRS test website seem to break when you base the reply in 
> FreeRADIUS, on the inner identity as opposed to the outer identity.

I'm surprised at that, IIRC (and I did write the code originally :-) the
tests use the same name for inner and outer. Still, it would probably be
best if you raised a ticket with JANET Customer Services as this is a
bit OT for this list.

best regards, josh.