Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)

Brian Julin BJulin at clarku.edu
Thu Aug 8 15:39:55 CEST 2013


> Alan DeKok wrote:
> Brian Julin wrote:
> > I tried to replicate on a test server with lightly modified 3.0 stock configs.
> The error only
> > happens when everything is running through the same server/eap
> instances, so good
> > instincts there.  Replicating it is easy: just uncomment the peap virtual-
> server directive
> > and add at the top of authorize:
> >
> >           if (Freeradius-Proxied-To == "127.0.0.1") {
> >               update control {
> >                  Proxy-To-Realm = example.com
> >               }
> >           }
> 
>   That doesn't make much sense.  If it's in the "default" virtual
> server, the FreeRADIUS-Proxied-To attribute will never exist.  If it's
> in the "inner-tunnel" virtual server, it will always exist, and always
> have that value.

Only if you send it there with a virtual_server="inner-tunnel" statement
in the peap block.  This happens if you do not, as documented in the
comments for that option.  Ah -- maybe to replicate you can't
have inner-tunnel in sites-enabled, since it has that loopback
listen directive.  I had swapped in proxy-inner-tunnel at some point,
it appears, which does not have it.

> > ...and it doesn't matter that example.com defaults to home_server
> localhost, it does not get that far.
> 
>   Well... I tried it, and I didn't see any errors.
> 
>   Can you check that you're really running a *stock* binary, and a
> *stock* configuration?

I will -- should I preferably be testing against the release git branch, or
against a release tag in master, BTW?

> > I believe it is the way it is because at some point we were having trouble
> using outer.request
> > and such between virtual servers.  I'll have to test those and see if that
> limitation is still
> > in effect.
> 
>   All that should work...

Good.



More information about the Freeradius-Users mailing list