Proxy EAP-TLS request after successful authorization with eap module

Arran Cudbard-Bell a.cudbardb at
Tue Oct 17 09:26:20 CEST 2017

> On 17 Oct 2017, at 18:46, work vlpl <thework.vlpl at> wrote:
> Hello,
> I am using v3.0.x branch and want to know is it possible to make proxy
> request to another freeradius/radius server after proxy radius server
> successfully handle request in eap module?
Should be possible, just call eap in authorise with method override.


authorize {

	if (&control:Auth-Type == EAP) {

The trick there is determining when EAP has actually finished. I'd look and
see if the return code of eap.authenticate changes on the final round
after the user has been accepted, and use that as the trigger to proxy
the final request to an upstream server.

if (ok) {
	update control {
		Proxy-To-Realm := 'foo'

If the return code doesn't change, then the outcome might be available
somewhere else, but that'd require some digging.

I don't think the inner tunnel runs for EAP-TLS? At least there's no reason
for it to.

The other thing would be to check and see if the cert authorisation virtual 
server runs right before the Accept is returned... It might.

In which case you can stick your Need-Remote-Call in the outer.session-state list
and check for it in the outer server.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list