AW: postproxy breaks eap authentication

Alan Buxey A.L.M.Buxey at
Wed Nov 17 22:55:41 CET 2010

> <The default configuration works for proxying EAP packets.  If your
> <configuration doesn't work, it's because you changed something and broke it.
> The default config is working, I wrote that in the first mail. IF I make this additional config, then eap is broken:

> /etc/freeradius/attrs:
>         Tunnel-Private-Group-ID :=8,
>         Fall-Through = Yes
>         Tunnel-Type := VLAN,
>         Tunnel-Medium-Type := IEEE-802

THAT file isnt the default config. you have pretty much removed all of the
attributes that must be passed through for EAP to work.

basically, what you have done is said, 'okay, you've authenticated, but before
I send the packet back, i will run it through a filter.  your filter doesnt list
any of the required attributes and therefore is breaking things. the email from
Phil correctly stated all the attributes needed as a minimum....these
are in the default attrs file - I know, because I ensured all the right ones
were there for EAP proxy to work (back in 1.0.x days) - I deal with several queries
each month from sites where they have just enabled pre-proxy or post-proxy 
filtering for security - without realising what they are doing.  I wouldnt
put those values into attrs...i would use a different way.... 


More information about the Freeradius-Users mailing list