Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)

Brian Julin BJulin at clarku.edu
Thu Aug 8 02:00:40 CEST 2013

A.L.M.Buxey at lboro.ac.uk [A.L.M.Buxey at lboro.ac.uk] wrote:

> how did you configure the server...from scratch or copy pasting bits over from a 2.x ?

It's a mongrel, not an alteration of fresh 3.0.  It was working on a pre-talloc 3.0 development branch.

> does this 'eap' module use its own virtual_server or does it inherit the virtual_server that
> instigated it (you have no 'virtual_server = "blah"' line in your peap{} section...so i assume
> its using eduroam_idp VS for the unwrapping?)

There's only one incestuous server clause, and only one EAP configuration block, yes.

I tried to replicate on a test server with lightly modified 3.0 stock configs.  The error only
happens when everything is running through the same server/eap instances, so good
instincts there.  Replicating it is easy: just uncomment the peap virtual-server directive
and add at the top of authorize:

          if (Freeradius-Proxied-To == "") {
              update control {
                 Proxy-To-Realm = example.com

...and it doesn't matter that example.com defaults to home_server localhost, it does not get that far.

I believe it is the way it is because at some point we were having trouble using outer.request
and such between virtual servers.  I'll have to test those and see if that limitation is still
in effect.

More information about the Freeradius-Users mailing list