NAS-IP-Address, rlm_perl, and loopback

[Alan DeKok]

Adam W. Sewell wrote:
> I am using PEAP/MsChapv2.

  Exactly.  There are multiple packet exchanges as part of one PEAP
authentication.

> I am using a perl script to authorize the user access to the network based on some information that is pulled out of a database via our perl script. This part is working ok. What I want to happen is with the NAS-IP-Address being sent back, I can tell the port on the switch (NAS) which policy this person should have. This would work great if I could get some consistent data from the NAS. 

  Then put it in the "post-auth" section.  In 2.0.5,
raddb/sites-available/default, section post-auth.

> Below are some excerpts from debug log and a log of the variables in RAD_REQUEST for one of our test users. I've looked through the logs and all I can come up with is that it looks like some of the packets are being proxyed even though I have proxy turned off in the radius.conf file and have the proxy.conf file commented out.  

  Which explains what's going on.  PEAP is really two things: an outer
TLS session, and inner EAP-MSCHAPv2 authentication.  So there are *two*
streams of RADIUS packets.  One that sets up the tunnel, and one that
does the authentication inside of the tunnel.

  Alan DeKok.