Problems with "virtual_server" for EAP-pwd

Christian Strauf strauf at
Mon Mar 27 17:38:00 CEST 2017

Hi Alan,

>  i.e. the inner-tunnel reply isn't used for anything.  So you shouldn't get any RADIUS attributes associated with a user.
thanks for clearing that up.

>  Or, as per the EAP-PWD documentation... just don't return a password in the inner tunnel?
Ok, thanks for the advice. Can you point me to the doc that you're referring to? I only found

and it says that the the whole authorize section is processed (see bottom of the doc) which led me to believe that unlang passages are processed as well. Sorry for the confusion.

>  If you want to get reply attributes for a user, put the rules into the "post-auth" section of the outer tunnel.
We get a "known good" password from an OpenLDAP server in the inner tunnel. The same LDAP search for the user id to retrieve the "known good" password also yields other RADIUS attributes. Do I understand you correctly that one shouldn't use the returned other attributes to update the outer session? Would that be a misuse of the EAP-pwd inner tunnel authorize section?

Thanks for shedding light on this.

Kind regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5172 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list