EAP/TTLS + virtual_server woes
Alan DeKok
aland at deployingradius.com
Fri Oct 2 08:35:50 CEST 2009
Alexander Clouter wrote:
> If you use the 'virtual_server' functionality in the ttls{} section of
> eap.conf, everything works great if you get an Access-Accept from the
> inner virtual server ('auth' for me). When I say "works great", I mean
> the 'post-auth' section of the EAP calling ('auth-eap') virtual server
> is munched through. However, if 'Access-Reject' is returned then
> 'post-auth' is not parsed and it bombs immediently back out to the to
> outer virtual server's ('dot1x') post-proxy section.
Yes.
> Any suggestions, it would be nice if on Access-Reject that post-auth
> section was passed in 'auth-eap'.
That takes source code patches.
Part of the issue is that the server *pretends* that the inner session
is a separate authentication request. But actually treating it as
separate is hard. So the TTLS && PEAP module fake it, and sometimes
don't do a good job.
This involves copying some more code from the server core into the
modules.
Alan DeKok.
More information about the Freeradius-Users
mailing list