Problems with "virtual_server" for EAP-pwd

Alan DeKok aland at
Mon Mar 27 17:48:28 CEST 2017

On Mar 27, 2017, at 11:38 AM, Christian Strauf <strauf at> wrote:
> Ok, thanks for the advice. Can you point me to the doc that you're referring to?

  See the comments in the EAP module, the "pwd" section.

> I only found
> and it says that the the whole authorize section is processed (see bottom of the doc) which led me to believe that unlang passages are processed as well. Sorry for the confusion.

  All of the "authorize" section is processed, *but* only the Cleartext-Password is taken from the output.

>> If you want to get reply attributes for a user, put the rules into the "post-auth" section of the outer tunnel.
> We get a "known good" password from an OpenLDAP server in the inner tunnel. The same LDAP search for the user id to retrieve the "known good" password also yields other RADIUS attributes.

  Then do that in the "authorize" section.  EAP-PWD is more like EAP-MD5 than it's like PEAP.

> Do I understand you correctly that one shouldn't use the returned other attributes to update the outer session?

  I didn't say that.  It does work.  There is no magic in the server.  You can always update an outer session from an inner one.

> Would that be a misuse of the EAP-pwd inner tunnel authorize section?

  <shrug>  If it works...

  Alan DeKok.

More information about the Freeradius-Users mailing list