eap_ttls not setting 'FreeRADIUS-Proxied-To'

David Lord d.lord at its.uq.edu.au
Wed Jan 13 01:04:43 CET 2016 

On 13 Jan 2016, at 9:37 AM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Jan 12, 2016, at 6:22 PM, David Lord <d.lord at its.uq.edu.au> wrote:
> 
>  ... whatever mail software you're using, please fix it.  It mangles quoting so it's almost impossible to tell what's going on.

Sorry, Apple Mail. Switched to plain text and replies look better in outlook web now. Fixed?

> 
>> Okay, I’d love to do that. Would appreciate input on this architecture.
> 
>  I gave input.
> 
>  Just determine which rules belong in the "default" virtual server, and while ones belong in the "inner-tunnel" virtual server.
> 
>  Then... write the appropriate rules in the correct server.
> 
>> The other branch of this port uses eduroam_inner, eduroam_IDP and eduroam_SP virtual servers, but I’ve been having trouble getting the right attributes forwarded.
>> In theory IDP is exposed to the national roaming operator and SP is for our campus wifi, and SP forwards auth to IDP or the NRO. Is that sensible?
> 
>  I have no idea.  Please explain using english, and not tons of acronyms.
> 

Oops, too many eduroam acronyms. I’ve seen Alan Buxey use NRO recently but that was a different mailing list.

>> However, SP needs a &Group derived from LDAP to set the right VLAN attributes, which is queried from _inner and can be passed to IDP via outer.control but is harder to forward to SP. I experimented with a custom attr_filter and didn’t find a reliable way to forward the Group attribute (putting it in a temporary attribute and extracting it in SP seems unstable).
>> Alternatively, IDP or _inner can set the VLAN attributes off &Group, and strip them if not replying to SP.
> 
>  You're explaining what you want in terms of your current architecture.  I don't know your current architecture, so your explanation is content-free.
> 
>  Explain using simple english.

Okay, rephrasing:
If one virtual server (SP) uses Proxy-To-Realm to forward to a 2nd virtual server (IDP), which uses an eap module with peap & ttls “virtual_server” set to a 3rd virtual server (inner), is there a reliable way to forward attributes from #3 to #1?

The reason for having 3 may or may not be good architecture (but here isn’t the place to ask). I might just cut it down to inner and outer, which would make the attribute-forwarding irrelevant.

Thanks for your time, Alan and Matthew.

> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list