Question on Virtual Servers and inner-tunnel

Phil Mayers p.mayers at
Wed Jan 26 10:07:24 CET 2011

On 01/25/2011 11:18 PM, Brett Littrell wrote:

> with inner-tunnel requests. So my question is wether naming the server
> inner-tunnel causes it to exclusively handle inner-tunnel requests, in
> other word is inner-tunnel a hard coded name that has to be used for
> handling inner-tunnel requests?

No. It is set in "eap.conf"; see the "virtual_server" option under the 
peap and ttls stanzas.

You can also override (per-request) to use a different virtual server in 
the outer tunnel e.g.


authorize {
   if (EAP-Message) {
     if (...some lookup...) {
       update control {
         # this directs the inner tunnel from this EAP
         # session to the named virtual server
         Virtual-Server := "somedifferentthing"

Something that might not be obvious also - the virtual server name 
actually comes from the:

server NAME {
   authorize {

..."NAME" option on the server{} block. By convention and to avoid 
confusion the filename in /etc/raddb/sites-{available,enabled} is the 
same, but it doesn't need to be (and in fact doesn't need to be in a 
separate file)

More information about the Freeradius-Users mailing list