Difference between proxying to real and virtual server in proxy-inner-tunnel

Herwin Weststrate herwin at quarantainenet.nl
Tue Dec 4 16:35:52 CET 2018

Given the following setup:

- Client using PEAP
- Server configured to use proxy-inner-tunnel for PEAP
- proxy_tunneled_request_as_eap disabled
- proxy-inner-tunnel assigns a fixed value to Proxy-To-Realm
- proxy.conf configured for this realm to proxy to localhost:18121
- a virtual server listening on this port, very basic configuration
- users file has user bob enabled

Using eapol_test to authenticate with user bob works fine. The debug log
shows we get a request on with User-Name bob and some
MS-CHAP-attributes. In the end we get an Access-Accept.

Now, I tried to switch to a virtual server by removing
ipaddr/port/secret from the home_server statement, and replacing it with
a virtual_server option. I would expect this to behave the same, but
instead of proxying the inner packet I get the outer packet in the
virtual server and the authentication breaks because we don't have the
inner EAP information.

I've seen this behaviour in both 3.0.15 and the current v3.0.x (commit
8ef4848c34696caa0d61003470d321974049b794). The behaviour is not what I
did expect, so I guess this is a bug. It's also a bug that is pretty to
fix without breaking backwards compatibility.

Herwin Weststrate

More information about the Freeradius-Users mailing list