Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)
Brian Julin
BJulin at clarku.edu
Thu Aug 8 15:39:55 CEST 2013
> Alan DeKok wrote:
> Brian Julin wrote:
> > I tried to replicate on a test server with lightly modified 3.0 stock configs.
> The error only
> > happens when everything is running through the same server/eap
> instances, so good
> > instincts there. Replicating it is easy: just uncomment the peap virtual-
> server directive
> > and add at the top of authorize:
> >
> > if (Freeradius-Proxied-To == "127.0.0.1") {
> > update control {
> > Proxy-To-Realm = example.com
> > }
> > }
>
> That doesn't make much sense. If it's in the "default" virtual
> server, the FreeRADIUS-Proxied-To attribute will never exist. If it's
> in the "inner-tunnel" virtual server, it will always exist, and always
> have that value.
Only if you send it there with a virtual_server="inner-tunnel" statement
in the peap block. This happens if you do not, as documented in the
comments for that option. Ah -- maybe to replicate you can't
have inner-tunnel in sites-enabled, since it has that loopback
listen directive. I had swapped in proxy-inner-tunnel at some point,
it appears, which does not have it.
> > ...and it doesn't matter that example.com defaults to home_server
> localhost, it does not get that far.
>
> Well... I tried it, and I didn't see any errors.
>
> Can you check that you're really running a *stock* binary, and a
> *stock* configuration?
I will -- should I preferably be testing against the release git branch, or
against a release tag in master, BTW?
> > I believe it is the way it is because at some point we were having trouble
> using outer.request
> > and such between virtual servers. I'll have to test those and see if that
> limitation is still
> > in effect.
>
> All that should work...
Good.
More information about the Freeradius-Users
mailing list