EAP/TTLS + virtual_server woes

Alan DeKok aland at deployingradius.com
Fri Oct 2 08:35:50 CEST 2009


Alexander Clouter wrote:
> If you use the 'virtual_server' functionality in the ttls{} section of 
> eap.conf, everything works great if you get an Access-Accept from the 
> inner virtual server ('auth' for me).  When I say "works great", I mean 
> the 'post-auth' section of the EAP calling ('auth-eap') virtual server 
> is munched through.  However, if 'Access-Reject' is returned then 
> 'post-auth' is not parsed and it bombs immediently back out to the to 
> outer virtual server's ('dot1x') post-proxy section.

  Yes.

> Any suggestions, it would be nice if on Access-Reject that post-auth 
> section was passed in 'auth-eap'.

  That takes source code patches.

  Part of the issue is that the server *pretends* that the inner session
is a separate authentication request.  But actually treating it as
separate is hard.  So the TTLS && PEAP module fake it, and sometimes
don't do a good job.

  This involves copying some more code from the server core into the
modules.

  Alan DeKok.



More information about the Freeradius-Users mailing list