Proxy EAP-TLS request after successful authorization with eap module

Alan DeKok aland at
Tue Oct 17 13:50:42 CEST 2017

On Oct 17, 2017, at 3:26 AM, Arran Cudbard-Bell <a.cudbardb at> wrote:
> Should be possible, just call eap in authorise with method override.
> i.e. 
> authorize {
> 	eap
> 	if (&control:Auth-Type == EAP) {
> 		eap.authenticate
> 	}
> }

  Oh god... that might actually work.

  You'd also have to delete the Auth-Type := EAP, too.  And maybe add an "Auth-Type noop", with a "noop" thing there.  Because the server really does expect to run an authenticate method.

> The trick there is determining when EAP has actually finished. I'd look and
> see if the return code of eap.authenticate changes on the final round
> after the user has been accepted, and use that as the trigger to proxy
> the final request to an upstream server.
> eap.authenticate
> if (ok) {
> 	update control {
> 		Proxy-To-Realm := 'foo'
> 	}
> }

  That should work.  The EAP module returns "ok" only when the user is authenticated.

  The other problem is that the reply from the home server will over-ride the reply from the EAP module.  So you have to cache the EAP reply (just one EAP-Message), and re-add it after you get the reply from the home server.

  I'll see if I can do some testing today...

> If the return code doesn't change, then the outcome might be available
> somewhere else, but that'd require some digging.
> I don't think the inner tunnel runs for EAP-TLS? At least there's no reason
> for it to.

  It's allowed for identity privacy.  i.e. use an anonymous outer ID, and then send the certificate via the inner-tunnel.

  Alan DeKok.

More information about the Freeradius-Users mailing list