terminating EAP tunnels, proxy and realms
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Mon Jun 25 16:48:30 CEST 2007
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> And indeed as the RFC states, the User-Identity needs to be set in the
>> access requests for none EAP aware proxies. I suspect FreeRADIUS may
>> count as one of these, as for all intensive purposes as it provides no
>> mechanism to proxy arbitrary segments of an EAP conversation on inner
>> identity alone.
>
> I'm not sure why that matters. the *NAS* sets User-Name in the
> Access-Request. The proxying server doesn't have to do anything.
Well it needs to be able to read an identity of *some* kind, else how
would it know where to proxy the packets to .
Just saying it's not technically EAP aware in proxying mode, it doesn't
matter, just academic discussion :)
>
>> Reason why I was asking is because most of the tests on the JRS test
>> website seem to break when you base the reply in FreeRADIUS, on the
>> inner identity as opposed to the outer identity.
>
> The "post-auth" section is run in the outer identity, so you can
> re-write the reply to be whatever you want.
>
Yes but it still needs to grab various attributes from the SQL database,
and I thought a different query was run for post-auth ... as in the one
that logs reply packets ;) ?
Maybe i'll move the defaults stuff to post-auth, as defaults set
attributes using = , so can't overwrite anything set ealier in
Authorize.... just fill in the blanks.
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list