eap_ttls not setting 'FreeRADIUS-Proxied-To'

Matthew Newton mcn4 at leicester.ac.uk
Tue Jan 12 12:20:18 CET 2016

On Tue, Jan 12, 2016 at 04:35:36AM +0000, David Lord wrote:
> The problem I’m experiencing is that the eap_peap submodule does
> set FreeRADIUS-Proxied-To, but eap_ttls does not. In v2, both
> submodules did. Unfortunately I’m currently relying on this
> attribute for tunnelling in one server.

I believe the plan is to scrap FreeRADIUS-Proxied-To, which is a
left-over from version 1 which didn't have virtual servers.

> authorize {
> split_user_realm
> choose_eduroam_proxy # reject invalid realm, set Proxy-To-Realm
>                        to national federation or do nothing so it goes internally
> eap_eduroam
> if (“%{%{FreeRADIUS-Proxied-To}:-}” == {
> # inner tunnel: ensure user exists in LDAP and is permitted access
> user_search # includes ldap_central and sets auth-type if appropriate
> }
> }
> authenticate {
> Auth-Type PAP {
>         pap
>         }
> Auth-Type MS-CHAP {
>         mschap
>         }
>          Auth-Type ldap_central {
>         ldap_central
>          }
> eap_eduroam
> }

Is this your outer or inner virtual server? It looks like you're
trying to mix the two.

> The result is that PEAP and various non-tunnelled EAPs
> authenticate correctly, but TTLS never enters the if-block and
> so no Auth-Type is ever set.
> If my need isn’t utterly terrible, would it be possible to
> re-add FreeRADIUS-Proxied-To to eap_ttls?

I don't understand why you need it. If you have an outer (default)
virtual server and an inner-tunnel virtual server, then by
definition the inner-tunnel will be local traffic only, so you
don't need to check for FreeRADIUS-Proxied-To.


Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list