Problems with "virtual_server" for EAP-pwd

Christian Strauf strauf at
Mon Mar 27 18:16:13 CEST 2017

>   All of the "authorize" section is processed, *but* only the Cleartext-Password is taken from the output.
Ok, makes sense and that's also the way I understood the comment in the configuration file.

>   Then do that in the "authorize" section.  EAP-PWD is more like EAP-MD5 than it's like PEAP.
Yes, indeed. I intended to minimise the amount of LDAP searches by copying the RADIUS attributes from the inner tunnel LDAP search (which is mandatory in our scenario to retrieve the known good password) to the outer session so that I wouldn't have to search in the outer session once and then another time in the inner tunnel. The copying of the attributes works nicely.

>> Do I understand you correctly that one shouldn't use the returned other attributes to update the outer session?
>   I didn't say that.  It does work.  There is no magic in the server.  You can always update an outer session from an inner one.
Ok, that's good. This means that I only need to move the policy snippet from the inner tunnel authorize section to a different section (as you suggested earlier). By asking I just wanted to make sure that updating the outer session from the EAP-pwd inner tunnel section is ok.

Thanks for your help, I think I can fix my problem with your advice.


More information about the Freeradius-Users mailing list