Overrides for sites-available/inner-tunnel

Roddie Hasan roddie at krweb.net
Tue Apr 13 23:15:51 CEST 2021


> > be pushing a TrustSec SGT along with the VLAN.  I'm honestly surprised
> > the setting that I found this morning isn't more commonly needed.
>
>   It might be.  But many people solve a problem, and then never tell anyone about it.

I'll make sure I document it well in my repo :-)

I think I'm actually going to build my own Docker image with this
feature enabled and then I'll document the fix for those who aren't
using Docker.  This way I won't have problems if the official image
changes.

> > Oh, interesting idea.  I'm not even 100% what we're testing for in
> > this section - Maybe "use_tunneled_reply" from mods-available/eap?
>
>   The old "eap" module "use_tunneled_reply" configuration is fairly brute-force.  It also can't be changed in "unlang".
>
>   If you disable the "eap" module "use_tunneled_reply" configuration, you can enable this "unlang" section.  And then have full control over what happens with the tunneled reply.

Got it (I think) - Thank you!

> > Related: Are there plans or is there an appetite for an Alpine-based
> > Docker image for FreeRADIUS 4.x?
>
>   No.  Please don't use v4, as it hasn't been released.  Please don't encourage people to use it.

Understood - I saw that 4.x was the master branch of
freeradius-server, so I thought I missed something.  I'll stick to
documenting this for 3.x only for now.

>   The good news is that we've abstracted away all of the RADIUS stuff in the server core, and it is now fully protocol agnostic.  So the core does anything.  Which means a full DHCPv4 implementation is ~3500 LoC, including packet encode / decoding, DHCP protocol state machines, network IO, and configuration file parsing.

Oh, wow - An IPAM, too?  :-)

Roddie



More information about the Freeradius-Users mailing list