eap_ttls not setting 'FreeRADIUS-Proxied-To'
David Lord
d.lord at its.uq.edu.au
Tue Jan 12 05:35:36 CET 2016
Hi all,
I’m porting our config from v2.2.9 to v3.0.11.
The problem I’m experiencing is that the eap_peap submodule does set FreeRADIUS-Proxied-To, but eap_ttls does not. In v2, both submodules did. Unfortunately I’m currently relying on this attribute for tunnelling in one server.
Time is limited so I’m sticking with the previous architecture, which looks like this (trimmed down):
authorize {
split_user_realm
choose_eduroam_proxy # reject invalid realm, set Proxy-To-Realm to national federation or do nothing so it goes internally
eap_eduroam
if (“%{%{FreeRADIUS-Proxied-To}:-}” == 127.0.0.1) {
# inner tunnel: ensure user exists in LDAP and is permitted access
user_search # includes ldap_central and sets auth-type if appropriate
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type ldap_central {
ldap_central
}
eap_eduroam
}
The result is that PEAP and various non-tunnelled EAPs authenticate correctly, but TTLS never enters the if-block and so no Auth-Type is ever set.
Has this behaviour been intentionally changed? There’s no mention of it in https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/ChangeLog.
If my need isn’t utterly terrible, would it be possible to re-add FreeRADIUS-Proxied-To to eap_ttls?
Cheers,
David Lord
More information about the Freeradius-Users
mailing list