EAP-TTLS proxiing the tunneled request fails

Alan DeKok aland at deployingradius.com
Fri Jun 21 17:18:23 CEST 2019

On Jun 21, 2019, at 10:35 AM, Ekkehard Burkon <eb at tnib.de> wrote:
> My goal is to have a freeradius server handle EAP authentication with the EAP typ being EAP-TTLS. The data from the tunneled request should be proxied
> to an other radius server.

  Set Proxy-To-Realm in the inner-tunnel virtual server, and it will work.

> I got as far as that. The proxy gets the request and answers it accordingly. But to me it looks like  freeradius does not put enough info into that request
> and then looses track of things. The info sent to the AP is a plain accept with no EAP-Message and Message-Authenticator attribute.

  Then you edited the configuration and broke something.

> Accordingly the whole thing does not work. (The EAP-TLS stuff is working)
> I include the config. I tried to keep just the necessary stuff and a debug output from one request.

  Please don't post the config.  We don't need it.  The documentation says to NOT post the configuration.

1) start with the default configuration
2) add Proxy-To-Realm to get it proxied
3) test it
4) delete portions of the config that you think aren't needed
    and go back to (3).

  At some point, it will stop working.  That change is the one that broke it.

  Also, upgrade to 3.0.19 if you're running an older version of the server.

  Alan DeKok.

More information about the Freeradius-Users mailing list