eap_ttls not setting 'FreeRADIUS-Proxied-To'

David Lord d.lord at its.uq.edu.au
Thu Jan 14 03:05:17 CET 2016

Thanks all for the responses, particularly the National Roaming Octopus.

Agreed that the triple-server architecture is excessive. You can enforce the Identity Provider vs Service Provider distinction by stripping SP-only attributes from replies sent outside your network.

For anyone curious in future, since I’ve read a lot of the mailing list via Google and this may be helpful:

What I’ve ended up with is two virtual servers, inner and outer. Outer will always set all attributes, and then runs a custom attr_filter which keys on %{client:shortname}* and removes the private attributes from the clients with the wrong names.

Haven’t looked at the RFCs yet for appropriate attributes to permit.

* incidentally, the attr_filter module doesn’t seem to enable the new &format.

More information about the Freeradius-Users mailing list