eap_ttls not setting 'FreeRADIUS-Proxied-To'
aland at deployingradius.com
Wed Jan 13 00:37:26 CET 2016
On Jan 12, 2016, at 6:22 PM, David Lord <d.lord at its.uq.edu.au> wrote:
... whatever mail software you're using, please fix it. It mangles quoting so it's almost impossible to tell what's going on.
> Okay, I’d love to do that. Would appreciate input on this architecture.
I gave input.
Just determine which rules belong in the "default" virtual server, and while ones belong in the "inner-tunnel" virtual server.
Then... write the appropriate rules in the correct server.
> The other branch of this port uses eduroam_inner, eduroam_IDP and eduroam_SP virtual servers, but I’ve been having trouble getting the right attributes forwarded.
> In theory IDP is exposed to the national roaming operator and SP is for our campus wifi, and SP forwards auth to IDP or the NRO. Is that sensible?
I have no idea. Please explain using english, and not tons of acronyms.
> However, SP needs a &Group derived from LDAP to set the right VLAN attributes, which is queried from _inner and can be passed to IDP via outer.control but is harder to forward to SP. I experimented with a custom attr_filter and didn’t find a reliable way to forward the Group attribute (putting it in a temporary attribute and extracting it in SP seems unstable).
> Alternatively, IDP or _inner can set the VLAN attributes off &Group, and strip them if not replying to SP.
You're explaining what you want in terms of your current architecture. I don't know your current architecture, so your explanation is content-free.
Explain using simple english.
More information about the Freeradius-Users