eap_ttls not setting 'FreeRADIUS-Proxied-To'

David Lord d.lord at its.uq.edu.au
Tue Jan 12 05:35:36 CET 2016

Hi all,

I’m porting our config from v2.2.9 to v3.0.11.

The problem I’m experiencing is that the eap_peap submodule does set FreeRADIUS-Proxied-To, but eap_ttls does not. In v2, both submodules did. Unfortunately I’m currently relying on this attribute for tunnelling in one server.

Time is limited so I’m sticking with the previous architecture, which looks like this (trimmed down):

authorize {
choose_eduroam_proxy # reject invalid realm, set Proxy-To-Realm to national federation or do nothing so it goes internally
if (“%{%{FreeRADIUS-Proxied-To}:-}” == {
# inner tunnel: ensure user exists in LDAP and is permitted access
user_search # includes ldap_central and sets auth-type if appropriate

authenticate {
Auth-Type PAP {
Auth-Type MS-CHAP {
         Auth-Type ldap_central {


The result is that PEAP and various non-tunnelled EAPs authenticate correctly, but TTLS never enters the if-block and so no Auth-Type is ever set.

Has this behaviour been intentionally changed? There’s no mention of it in https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/ChangeLog.

If my need isn’t utterly terrible, would it be possible to re-add FreeRADIUS-Proxied-To to eap_ttls?

David Lord

More information about the Freeradius-Users mailing list