eap_ttls not setting 'FreeRADIUS-Proxied-To'

Alan DeKok aland at deployingradius.com
Wed Jan 13 00:37:26 CET 2016


On Jan 12, 2016, at 6:22 PM, David Lord <d.lord at its.uq.edu.au> wrote:

  ... whatever mail software you're using, please fix it.  It mangles quoting so it's almost impossible to tell what's going on.

> Okay, I’d love to do that. Would appreciate input on this architecture.

  I gave input.

  Just determine which rules belong in the "default" virtual server, and while ones belong in the "inner-tunnel" virtual server.

  Then... write the appropriate rules in the correct server.

> The other branch of this port uses eduroam_inner, eduroam_IDP and eduroam_SP virtual servers, but I’ve been having trouble getting the right attributes forwarded.
> In theory IDP is exposed to the national roaming operator and SP is for our campus wifi, and SP forwards auth to IDP or the NRO. Is that sensible?

  I have no idea.  Please explain using english, and not tons of acronyms.

> However, SP needs a &Group derived from LDAP to set the right VLAN attributes, which is queried from _inner and can be passed to IDP via outer.control but is harder to forward to SP. I experimented with a custom attr_filter and didn’t find a reliable way to forward the Group attribute (putting it in a temporary attribute and extracting it in SP seems unstable).
> Alternatively, IDP or _inner can set the VLAN attributes off &Group, and strip them if not replying to SP.

  You're explaining what you want in terms of your current architecture.  I don't know your current architecture, so your explanation is content-free.

  Explain using simple english.

  Alan DeKok.




More information about the Freeradius-Users mailing list