How to pass attributes from EAP-TTLS outer to inner?

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Jun 26 18:27:37 CEST 2007 

Jason Murray wrote:
> I have a situation where I need to pass the "Called-Station-Id" from
> the outer "anonymous" EAP Authentication-Request to the
> inner-authentication request.  Is this possible?
> 
> The problem is all my inner authentication requests look like this:
> 
> Tue Jun 26 10:55:03 2007
>         User-Name = "me at realm"
>         User-Password = "somepass"
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         NAS-IP-Address = 127.0.0.1
>         Client-IP-Address = 127.0.0.1
> 
> 
> Everything looks like it is coming from localhost.

Well thats your NAS screwing up NAS-IP-Address,
You can use Packet-Src-Ip-Address inside the tunnel, as this was 
specifically altered to reflect the src ip address when the packet 
entered the server.

Though that may only be in CVS ...

   I need the
> Called-Station-Id in order to limit who has access to certain wireless
> SSIDs
> 
eap.conf

eap {
ttls {
                         #  The tunneled authentication request does
                         #  not usually contain useful attributes
                         #  like 'Calling-Station-Id', etc.  These
                         #  attributes are outside of the tunnel,
                         #  and normally unavailable to the tunneled
                         #  authentication request.
                         #
                         #  By setting this configuration entry to
                         #  'yes', any attribute which NOT in the
                         #  tunneled authentication request, but
                         #  which IS available outside of the tunnel,
                         #  is copied to the tunneled request.
                         #
                         # allowed values: {no, yes}
                         copy_request_to_tunnel = yes


                         #  The reply attributes sent to the NAS are
                         #  usually based on the name of the user
                         #  'outside' of the tunnel (usually
                         #  'anonymous').  If you want to send the
                         #  reply attributes based on the user name
                         #  inside of the tunnel, then set this
                         #  configuration entry to 'yes', and the reply
                         #  to the NAS will be taken from the reply to
                         #  the tunneled request.
                         #
                         # allowed values: {no, yes}
                         use_tunneled_reply = yes
}
}

I'm not quite sure how you missed that ;)
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list