eap_ttls not setting 'FreeRADIUS-Proxied-To'
David Lord
d.lord at its.uq.edu.au
Thu Jan 14 03:05:17 CET 2016
Thanks all for the responses, particularly the National Roaming Octopus.
Agreed that the triple-server architecture is excessive. You can enforce the Identity Provider vs Service Provider distinction by stripping SP-only attributes from replies sent outside your network.
For anyone curious in future, since I’ve read a lot of the mailing list via Google and this may be helpful:
What I’ve ended up with is two virtual servers, inner and outer. Outer will always set all attributes, and then runs a custom attr_filter which keys on %{client:shortname}* and removes the private attributes from the clients with the wrong names.
Haven’t looked at the RFCs yet for appropriate attributes to permit.
* incidentally, the attr_filter module doesn’t seem to enable the new &format.
More information about the Freeradius-Users
mailing list