Overrides for sites-available/inner-tunnel

Alan DeKok aland at deployingradius.com
Tue Apr 13 22:34:27 CEST 2021 

On Apr 13, 2021, at 2:50 PM, Roddie Hasan <roddie at krweb.net> wrote:
> Thanks for the reply, Alan - Once I can get this process figured out
> (I think I have already), we can figure out an appropriate place for
> them to be included.  At the end of the day, it's really just a simple
> dot1x and RADIUS with a Cisco switch PoC, and we just happen to also
> be pushing a TrustSec SGT along with the VLAN.  I'm honestly surprised
> the setting that I found this morning isn't more commonly needed.

  It might be.  But many people solve a problem, and then never tell anyone about it.

> Oh, interesting idea.  I'm not even 100% what we're testing for in
> this section - Maybe "use_tunneled_reply" from mods-available/eap?

  The old "eap" module "use_tunneled_reply" configuration is fairly brute-force.  It also can't be changed in "unlang".

  If you disable the "eap" module "use_tunneled_reply" configuration, you can enable this "unlang" section.  And then have full control over what happens with the tunneled reply.

> Also, it seems to be a completely different structure in 4.x which
> actually has a "use_tunneled_reply" in the inner-tunnel file.  My
> problem is that I started with 3.x, which is the latest version on
> Docker Hub, so I'm going to have to redo this if/when it's upgraded
> and probably document both settings on my repo for those who aren't
> using Docker.  No big deal.

  v4 hasn't been released, so please ignore it for now.

> Related: Are there plans or is there an appetite for an Alpine-based
> Docker image for FreeRADIUS 4.x?

  No.  Please don't use v4, as it hasn't been released.  Please don't encourage people to use it.

  The configuration files and packet handling are changing on a near-daily basis.  All for the better, but we're still a ways off of an alpha release of v4.

  The good news is that we've abstracted away all of the RADIUS stuff in the server core, and it is now fully protocol agnostic.  So the core does anything.  Which means a full DHCPv4 implementation is ~3500 LoC, including packet encode / decoding, DHCP protocol state machines, network IO, and configuration file parsing.

  And yes, if we decide to go crazy, it's now possible to add Diameter to the server.  :)

  Alan DeKok.

More information about the Freeradius-Users mailing list