Terminate EAP-TTLS then proxy

adrian.p.smith at bt.com adrian.p.smith at bt.com
Fri Sep 22 09:40:48 CEST 2017

Thanks for those extra tips.

I think I have it working now.

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: 22 September 2017 08:32
To: FreeRadius users mailing list
Subject: Re: Terminate EAP-TTLS then proxy

Change default EAP type  md5 to ttls in your EAP module, that'll save a resend

Next look at how you are handling realms in outer and inner. If only proxying ttls then comment out prefix/suffix from outer server.

Finally, by default, there's a big safety switch in the inner tunnel to ensure things don't by default get their proxy changed in ttls , remove the proxy-to-realm statement (read the surrounding warning text) *or* update it to be relevant eg wrap it in unlang statement to only occur if the realm is not passpoint

Ps having worked with passpoint myself I think I know what and why you are doing this ;)


On 21 Sep 2017 11:27 pm, "Alan DeKok" <aland at deployingradius.com> wrote:

On Sep 21, 2017, at 6:24 PM, <adrian.p.smith at bt.com> <adrian.p.smith at bt.com>
> Hi Alan,
> I proxy-to-realn LOCAL in the default server as I was advised to do 
> this
as part of the EAP-TTLS termination and Transfer to the inner-tunnel.
> Perhaps this is not needed?

  It's needed if you don't want to proxy the outer EAP session.

> My aim is be able to terminate the EAP and then proxy the request to
another server.

  Then edit the inner tunnel to delete the "Proxy-To-Realm = Local"

  Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list