How to pass attributes from EAP-TTLS outer to inner?

Jason Murray jemurray at zweck.net
Tue Jun 26 20:00:02 CEST 2007


OK, I feel silly.  I have looked at this configuration file over and
over and I can't believe I missed it.

Thanks.  It works just like I want it to now.

Sorry for wasting peoples time.

On 6/26/07, Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk> wrote:
> Jason Murray wrote:
> > I have a situation where I need to pass the "Called-Station-Id" from
> > the outer "anonymous" EAP Authentication-Request to the
> > inner-authentication request.  Is this possible?
> >
> > The problem is all my inner authentication requests look like this:
> >
> > Tue Jun 26 10:55:03 2007
> >         User-Name = "me at realm"
> >         User-Password = "somepass"
> >         FreeRADIUS-Proxied-To = 127.0.0.1
> >         NAS-IP-Address = 127.0.0.1
> >         Client-IP-Address = 127.0.0.1
> >
> >
> > Everything looks like it is coming from localhost.
>
> Well thats your NAS screwing up NAS-IP-Address,
> You can use Packet-Src-Ip-Address inside the tunnel, as this was
> specifically altered to reflect the src ip address when the packet
> entered the server.
>
> Though that may only be in CVS ...
>
>    I need the
> > Called-Station-Id in order to limit who has access to certain wireless
> > SSIDs
> >
> eap.conf
>
> eap {
> ttls {
>                          #  The tunneled authentication request does
>                          #  not usually contain useful attributes
>                          #  like 'Calling-Station-Id', etc.  These
>                          #  attributes are outside of the tunnel,
>                          #  and normally unavailable to the tunneled
>                          #  authentication request.
>                          #
>                          #  By setting this configuration entry to
>                          #  'yes', any attribute which NOT in the
>                          #  tunneled authentication request, but
>                          #  which IS available outside of the tunnel,
>                          #  is copied to the tunneled request.
>                          #
>                          # allowed values: {no, yes}
>                          copy_request_to_tunnel = yes
>
>
>                          #  The reply attributes sent to the NAS are
>                          #  usually based on the name of the user
>                          #  'outside' of the tunnel (usually
>                          #  'anonymous').  If you want to send the
>                          #  reply attributes based on the user name
>                          #  inside of the tunnel, then set this
>                          #  configuration entry to 'yes', and the reply
>                          #  to the NAS will be taken from the reply to
>                          #  the tunneled request.
>                          #
>                          # allowed values: {no, yes}
>                          use_tunneled_reply = yes
> }
> }
>
> I'm not quite sure how you missed that ;)
> --
> Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
> Authentication, Authorisation and Accounting Officer
> Infrastructure Services | ENG1 E1-1-08
> University Of Sussex, Brighton
> EXT:01273 873900 | INT: 3900
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list