Terminate EAP-TTLS then proxy
adrian.p.smith at bt.com
adrian.p.smith at bt.com
Fri Sep 22 09:40:48 CEST 2017
Thanks for those extra tips.
I think I have it working now.
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: 22 September 2017 08:32
To: FreeRadius users mailing list
Subject: Re: Terminate EAP-TTLS then proxy
Change default EAP type md5 to ttls in your EAP module, that'll save a resend
Next look at how you are handling realms in outer and inner. If only proxying ttls then comment out prefix/suffix from outer server.
Finally, by default, there's a big safety switch in the inner tunnel to ensure things don't by default get their proxy changed in ttls , remove the proxy-to-realm statement (read the surrounding warning text) *or* update it to be relevant eg wrap it in unlang statement to only occur if the realm is not passpoint
Ps having worked with passpoint myself I think I know what and why you are doing this ;)
alan
On 21 Sep 2017 11:27 pm, "Alan DeKok" <aland at deployingradius.com> wrote:
On Sep 21, 2017, at 6:24 PM, <adrian.p.smith at bt.com> <adrian.p.smith at bt.com>
wrote:
>
> Hi Alan,
>
> I proxy-to-realn LOCAL in the default server as I was advised to do
> this
as part of the EAP-TTLS termination and Transfer to the inner-tunnel.
>
> Perhaps this is not needed?
It's needed if you don't want to proxy the outer EAP session.
> My aim is be able to terminate the EAP and then proxy the request to
another server.
Then edit the inner tunnel to delete the "Proxy-To-Realm = Local"
attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list