EAP-Peap-MSchapv2 proxy from innertunnel

Robert Roll Robert.Roll at utah.edu
Thu Aug 29 18:48:59 CEST 2013

Ok, I've tried this with 2.2 and still get the same behavior..

If I actually look at the proxy-inner-tunnel I see the following for post-proxy..

   post-proxy {
    	#  This is necessary for LEAP, or if you set:
	#  proxy_tunneled_request_as_eap = no

I see that eap needs be invoked if using 

  proxy_tunneled_request_as_eap = no

Does it actually need to NOT be there for

     proxy_tunneled_request_as_eap = no

I should say I'm actually NOT using the proxy-inner-tunnel server, but
rather the default  inner-tunnl with:	

#  If you want the inner tunnel request to be proxied, delete
#  the next few lines.
#	update control {
#	       Proxy-To-Realm := LOCAL
#	}



From: freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org] on behalf of Phil Mayers [p.mayers at imperial.ac.uk]
Sent: Thursday, August 29, 2013 9:38 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: EAP-Peap-MSchapv2  proxy from innertunnel

On 29/08/13 15:56, Robert Roll wrote:
>   I guess I assumed the   id: in the TCP dump   below was the "EAP Response Identifier"  maybe not ? Is there a different
> EAP response identifier ?

Yes, in the EAP-Message attribute (EAP packet)

>   I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump.
> That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just
> had a thought about a common configuration issue...

TBH proxying EAP inner is not common at all; there have been bugs in
that area in the past.

Re-reading I notice that you're running 2.10 - upgrade. I'm pretty
certain that version has inner-eap proxy bugs. Go to 2.2.0.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list