Clarifications on expected behavior when using proxy-inner-tunnel (3.x)

Alan DeKok aland at
Fri Nov 6 19:06:15 CET 2015

On Nov 6, 2015, at 12:04 PM, Brian Julin <BJulin at> wrote:
> I don't know whether to rely on this behavior, because it seems a bit
> convoluted.

  The complexity is because of the protocols.  The only way to make it simpler is to prevent people from doing things at certain stages of authentication.  Which is a bad idea.

> In a server configured to proxy inner tunnel requests the requests flow
> as expected between the outer server and the client until PEAP starts
> unwrapping.
> Then the packet flow seems to be this:
> 1) normal client -> (outer-eap) -> outer server -> peap ->
> 2) proxy-inner-tunnel server autz (sets Proxy-To-Realm)
> 3) proxy-inner-tunnel server ("sends reply" back to outer)
> 4) either outer pre-proxy section or pre-proxy from a realm virtual_server directive
> 5) request actually sent to external inner
> 6) either outer post-proxy section or post-proxy from a realm virtual_server directive
> 7) outer post-auth

  Pretty much. 

> proxy-inner-tunnel's post-auth never gets run,

  In v3 it should be run.

> and its pre-proxy/post-proxy will not
> get run unless you use a realm "virtual_server" directive to force it.

  Yes.  That's because it was just simpler to set it up that way.

  Patches are welcome. :)

  We're working on simplifying and re-designing the server core for 3.1 / 3.2.  That will make all of this work by design.  The current system was cobbled together over time, and is less than perfect.

> If this is set up naively without an "eap" in outer's post-proxy section and with
> no realm virtual_server directive, the administrator will find inner tunnel replies being
> sent directly to the client.

  That shouldn't happen.  I'll see if I can fix that.  Probably in 3.1 instead of 3.0.

  But... the default configuration is there for a reason.  Changing things is often a bad idea.

>   If you do provide a post-proxy in the outer server or a
> realm virtual_server directive, everything ends up "working" minus not running
> some sections of the proxy-inner-tunnel server.

  Because you're supposed to list "eap" in the post-proxy section of the outer server.

  It's all there for a reason.  It could be better, of course.

> If that's the way it is supposed to work, as long as I can get my session-state
> handling straight, I'm happy to do it that way, but it looked odd so I didn't want
> to rely on it without asking.

  You can rely on the default configuration working.

  You CANNOT rely on deleting things you don't understand... and having it still "do the right thing".  The default configuration is there for a reason.  Changing it will often break things.

>  Also the default mods-available/proxy-inner-tunnel
> could use some commentary to this effect.

  As always, patches are welcome.

  Alan DeKok.

More information about the Freeradius-Users mailing list