EAP processing

Billot Emmanuel.Billot at ac-orleans-tours.fr
Tue Jun 12 20:11:17 CEST 2012 


Le 12/06/12, Alan DeKok  <aland at deployingradius.com> a écrit :
> Emmanuel BILLOT wrote:
> > Could you explain what is the difference between the default file and
> > the inner-tunnel file in /etc/raddb/site-enabled ?
> 
>  This is documented in the comments at the top of the files.
> 
>  The "default" virtual server handles normal RADIUS traffic. However,
> some EAP types set up a TLS tunnel between the PC and the RADIUS server.
> The data *inside* of the TLS tunnel has to be authenticated.
> 
>  So... it's run through the "inner-tunnel" virtual server.
> 
Hi,

Ok that's what i read from you on another post.

> 
> 
> > When running in debug mode, i see sometimes
> > # Executing section authorize from file /etc/raddb/sites-enabled/default
> > and
> > sometimes
> > # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
> 
>  Not "sometimes". That is a very bad way to think about it. The debug
> log shows *exactly* what the server is doing. Read it slowly, it will
> make sense.
> 
Sorry i didn't use correct words. I tried to follow each line in a radiusd -X output.

It begins with a a complete request, and the authorize section.
Parsing each authorize mechanism, only eap doesn't return "noops".

A first question : the default file says

eap {
 return ok
}

EAP request comes with EAP message and is so captured by the eap authorize section, right ?
It returns an update of the original request with Auth-Type = EAP

I can't understand why there is then one second authorize check.

> 
> 
> > Is there any docs about the complete processing of EAP authentication ?
> 
>  Nope.
> 
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
--

Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120612/5ff47ffa/attachment.html>

More information about the Freeradius-Users mailing list