eap_ttls not setting 'FreeRADIUS-Proxied-To'

Alan DeKok aland at deployingradius.com
Tue Jan 12 15:58:46 CET 2016

On Jan 11, 2016, at 11:35 PM, David Lord <d.lord at its.uq.edu.au> wrote:
> I’m porting our config from v2.2.9 to v3.0.11.
> The problem I’m experiencing is that the eap_peap submodule does set FreeRADIUS-Proxied-To, but eap_ttls does not.

 I've pushed a fix.

> In v2, both submodules did. Unfortunately I’m currently relying on this attribute for tunnelling in one server.

  You shouldn't need to do that.  The "inner-tunnel" virtual server handles inner tunnel data.  Nothing else does.  You don't need to key off of FreeRADIUS-Proxied-To.

> Time is limited so I’m sticking with the previous architecture, which looks like this (trimmed down):
> authorize {
> split_user_realm
> choose_eduroam_proxy # reject invalid realm, set Proxy-To-Realm to national federation or do nothing so it goes internally
> eap_eduroam
> if (“%{%{FreeRADIUS-Proxied-To}:-}” == {

  And that is *way* too complicated.  In v3, just do:

	if (&FreeRADIUS-Proxied-To == {

  But you still don't need to do that.  Just put the outer policies into the "default" virtual server, and the inner policies into the "inner-tunnel" virtual server.

  That's why I created virtual servers: to split the policies like this.  That's why the default configuration ships with multiple virtual servers.

  Alan DeKok.

More information about the Freeradius-Users mailing list