Problems with "virtual_server" for EAP-pwd

Christian Strauf strauf at
Mon Mar 27 16:38:56 CEST 2017

P.S.: I'm sorry, I forgot to write that we're using FreeRADIUS 3.0.12.

Am 27. März 2017 4:16:35 nachm. schrieb Christian Strauf <strauf at>:

> Hi all!
> For our eduroam setup we use FreeRADIUS to authenticate EAP-TTLS, PEAP as well as EAP-pwd requests. For each of these EAP types you have to configure the "virtual_server" which deals with the tunneled authentication (which is a little odd with respect to EAP-pwd because it isn't a tunneled method). Within the "inner-tunnel*" virtual servers we connect to an LDAP server to get the user credentials and RADIUS attributes that are associated with a specific user. Furthermore, we call a policy in the authorize section that is defined in policy.d/ that simply checks whether a certain attribute is set to "yes" or "no". The check basically looks like this:
> if ( ...<some check>... ) {
> 	reject
> }
> This works nicely with the inner-tunnel virtual servers that are used for EAP-TTLS and PEAP. It basically looks like this if the check yields a reject:
> 11)         if (...<some check>...)  {
> (11)           [reject] = reject
> (11)         } # if (...<some check>...)  = reject
> (11)       } # policy XXXX = reject
> (11)     } # authorize = reject
> (11)   Using Post-Auth-Type Reject
> (11)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> (11)     Post-Auth-Type REJECT {
> ...
> (11)     } # Post-Auth-Type REJECT = updated
> (11) } # server inner-tunnel
> (11) Virtual server sending reply
> This reject is forwarded to the outer session and this works as expected. However, it doesn't work with the inner-tunnel virtual server that we use for EAP-pwd. Please note that the configuration is virtually identical (except that you obviously don't need inner authentications methods for EAP-pwd). You basically get debugging output that looks like this:
> (2)       if (...<some check>...)  {
> (2)         [reject] = reject
> (2)       } # if (...<some check>...)  = reject
> (2)     } # policy XXXX = reject
> (2)   } # authorize = reject
> (2) eap_pwd: } # server inner-tunnel-eap-pwd
> (2) eap_pwd: Got tunneled reply code 0
> It looks like the eap_pwd module doesn't receive the reject generated within the authorize section of the inner-tunnel virtual server. Please note that EAP-pwd authentication per se works without any problems. Furthermore, I perfectly understand that only the authorize section of the inner-tunnel virtual server is used by EAP-pwd anyhow (it's simply used to retrieve credentials). However, it's not clear to me why the exact same configuration works for EAP-TTLS / PEAP but not for EAP-pwd because other things that we do within the authorize section (like setting RADIUS attributes that are used in the outer session etc.) work. I was thinking about working around the problem by doing something like
> update outer.session-state { ... }
> to generate a reject within the outer session. Do you have any suggestions what the right way would be to work around this? Apart from a workaround, do you think this could be a bug in the EAP-pwd module? I tried to read the source code but I'm not a programmer and I couldn't figure out how the EAP-pwd module works differently from the EAP-TTLS and PEAP modules with respect to how it works with inner-tunnel virtual servers. Any help would be highly appreciated.
> Kind regards,
> Christian Strauf
> -- 
> Dipl.-Math. Christian Strauf
> Clausthal Univ. of Technology   E-Mail: strauf at
> Rechenzentrum                   Web:
> Erzstraße 18                    Tel.:   +49-5323-72-2086 Fax: -992086
> D-38678 Clausthal-Zellerfeld

More information about the Freeradius-Users mailing list