terminating EAP tunnels, proxy and realms
Alan DeKok
aland at deployingradius.com
Mon Jun 25 14:07:07 CEST 2007
Arran Cudbard-Bell wrote:
> And indeed as the RFC states, the User-Identity needs to be set in the
> access requests for none EAP aware proxies. I suspect FreeRADIUS may
> count as one of these, as for all intensive purposes as it provides no
> mechanism to proxy arbitrary segments of an EAP conversation on inner
> identity alone.
I'm not sure why that matters. the *NAS* sets User-Name in the
Access-Request. The proxying server doesn't have to do anything.
> Reason why I was asking is because most of the tests on the JRS test
> website seem to break when you base the reply in FreeRADIUS, on the
> inner identity as opposed to the outer identity.
The "post-auth" section is run in the outer identity, so you can
re-write the reply to be whatever you want.
Alan DeKok.
More information about the Freeradius-Users
mailing list