Terminate EAP-TTLS then proxy

Alan Buxey alan.buxey at gmail.com
Fri Sep 22 09:32:22 CEST 2017

Change default EAP type  md5 to ttls in your EAP module, that'll save a

Next look at how you are handling realms in outer and inner. If only
proxying ttls then comment out prefix/suffix from outer server.

Finally, by default, there's a big safety switch in the inner tunnel to
ensure things don't by default get their proxy changed in ttls , remove the
proxy-to-realm statement (read the surrounding warning text) *or* update it
to be relevant eg wrap it in unlang statement to only occur if the realm is
not passpoint

Ps having worked with passpoint myself I think I know what and why you are
doing this ;)


On 21 Sep 2017 11:27 pm, "Alan DeKok" <aland at deployingradius.com> wrote:

On Sep 21, 2017, at 6:24 PM, <adrian.p.smith at bt.com> <adrian.p.smith at bt.com>
> Hi Alan,
> I proxy-to-realn LOCAL in the default server as I was advised to do this
as part of the EAP-TTLS termination and Transfer to the inner-tunnel.
> Perhaps this is not needed?

  It's needed if you don't want to proxy the outer EAP session.

> My aim is be able to terminate the EAP and then proxy the request to
another server.

  Then edit the inner tunnel to delete the "Proxy-To-Realm = Local"

  Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org/

More information about the Freeradius-Users mailing list