User and EAP authentication

Alan DeKok aland at
Wed Mar 18 16:34:40 CET 2020

On Mar 18, 2020, at 11:18 AM, Thomas Manninger <DBGTMaster at> wrote

> I confiured two virutal servers, one for X802.1 network authentication
>   (name: inner-tunnel), another virtual server with PAP username/password
>   authentication (name: keycloak).
>   Every incoming request should processed by the virtual_server
>   "keycloak-auth", except all X802.1 request should be processed to the
>   virtual_server "inner-tunnel".

  That’s not how virtual servers work. The listen section has no configuration which tells the server to do that. 

>   But all requests, also the X802.1 requests, are processed by the
>   virtual_server keycloak.

  Yes, that’s how virtual server work. 

>   If i unterstand it correctly, the eap module should send all EAP
>   requests to the inner-tunnel, but this in not working :-( ...

  No, the eap module will send “inner” authentication data to the inner-tunnel virtual server.  But the eap module still has to run in a separate virtual server. 

  The default examples and comments explain this fairly well. 

>   Only if i send all requests to the inner-tunnel virtual-server, then
>   X802.1 auth is working
>   How can i fix the issue?

  Configure the server correctly. Add the eap module to the “outer” virtual server. 

  The default configuration does this for a reason. There’s no documentation which says that the “listen” sections work like you want. 

>   My listen configuration:
>> listen {
>>  type = auth
>>  ipaddr = *
>>  port = 0
>>  virtual_server = keycloak
>> }

  There’s no magic there which says “run eap through a different virtual server”

More information about the Freeradius-Users mailing list