terminating EAP tunnels, proxy and realms

Alan DeKok aland at deployingradius.com
Mon Jun 25 14:07:07 CEST 2007


Arran Cudbard-Bell wrote:
> And indeed as the RFC states, the User-Identity needs to be set in the 
> access requests for none EAP aware proxies. I suspect FreeRADIUS may 
> count as one of these, as for all intensive purposes as it provides no 
> mechanism to proxy arbitrary segments of an EAP conversation on inner 
> identity alone.

  I'm not sure why that matters.  the *NAS* sets User-Name in the
Access-Request.  The proxying server doesn't have to do anything.

> Reason why I was asking is because most of the tests on the JRS test 
> website seem to break when you base the reply in FreeRADIUS, on the 
> inner identity as opposed to the outer identity.

  The "post-auth" section is run in the outer identity, so you can
re-write the reply to be whatever you want.

  Alan DeKok.



More information about the Freeradius-Users mailing list