Problems with "virtual_server" for EAP-pwd
strauf at rz.tu-clausthal.de
Mon Mar 27 17:38:00 CEST 2017
> i.e. the inner-tunnel reply isn't used for anything. So you shouldn't get any RADIUS attributes associated with a user.
thanks for clearing that up.
> Or, as per the EAP-PWD documentation... just don't return a password in the inner tunnel?
Ok, thanks for the advice. Can you point me to the doc that you're referring to? I only found
and it says that the the whole authorize section is processed (see bottom of the doc) which led me to believe that unlang passages are processed as well. Sorry for the confusion.
> If you want to get reply attributes for a user, put the rules into the "post-auth" section of the outer tunnel.
We get a "known good" password from an OpenLDAP server in the inner tunnel. The same LDAP search for the user id to retrieve the "known good" password also yields other RADIUS attributes. Do I understand you correctly that one shouldn't use the returned other attributes to update the outer session? Would that be a misuse of the EAP-pwd inner tunnel authorize section?
Thanks for shedding light on this.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5172 bytes
Desc: not available
More information about the Freeradius-Users