terminate eap-ttls
adrian.p.smith at bt.com
adrian.p.smith at bt.com
Thu Jun 20 13:09:40 CEST 2013
> >>> What I really need to do is proxy the inner message to another
> >>> Radius server which will do the authentication but I cannot get this
> >>> to work. Whatever I try, I always see an EAP-Message avp heading off
> >>> to the remote server. I have looked at the proxy-inner-tunnel
> >>> virtual server but am unsure how to use it.
> >
> >> This *is* proxying the inner tunnel; the inner tunnel auth is also
> >> EAP, and you're sending it to the remote server.
> >
> > Thanks, this is NOT what I want to do. I want to send the inner
> > message, not the tunnel and do PAP on the remote server.
> You can only do PAP on the remote server if your inner auth method was PAP. Basically, this means EAP-TTLS/PAP.
> Doing that is simple:
> server inner-tunnel {
> authorize {
> update control {
> Proxy-To-Realm := THEREALM
> }
> }
> }
> If this isn't working, send a debug from "radiusd -X"
Many thanks Phil, that now works a treat.
For other folks, the main trip up I had was the eapol config. Originally I had:
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="testpassword"
ca_cert="/home/carla/ca.pem"
phase2="auth=TTLS"
}
As per the original page, but I really needed:
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="testpassword"
ca_cert="/home/carla/ca.pem"
phase2="auth=PAP"
}
The "phase2" indicating the "inner" protocol. Obvious when you know!
More information about the Freeradius-Users
mailing list