Issues with post-auth not running in inner-tunnel/proxy-inner-tunnel

Chris Griffin cgriffin352 at
Fri Aug 12 16:05:42 UTC 2022

Hi Alan,
  I found a few things.

1. The rad_postauth wasn't being called because
"proxy_tunneled_request_as_eap" was commented out.  I had made the wrong
assumption about what the default was.  I uncommented it and set it to no
and rad_postauth was correctly called.  That was set to no in my production
3.2 platform but not this test instance.

2. Digging into the auth.c:

Based on this code:

         *      If a method was chosen, use that.
        if (vp) {
                postauth_type = vp->vp_integer;
                RDEBUG2("Using Post-Auth-Type %s",
                        dict_valnamebyattr(PW_POST_AUTH_TYPE, 0,

It is setting the postauth_type to "Challenge" and I am getting this
feedback in the debugs:

(8) eap: EAP session adding &reply:State = 0x784b1b4e799f01a6
(8)     [eap] = ok
(8)   } # post-proxy = ok
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.

It seems that it is only looking for a Post-Auth-Type Challenge section in
post-auth and if it doesn't have it, the section is ignored.  Just as a
test I changed it it:

if (0) {....

To avoid setting the postauth_type and the post-auth section is now
properly called:

(8) # Executing section post-auth from file
(8)   post-auth {

In my very brief testing, everything seems to work now, but this feels
"very wrong" as a solution.  Do you have any feedback as to the correct
thing to do?  Should I just put everything for post-auth in a challenge
section or is that being mis-set somewhere and causing this result?


On Fri, Aug 12, 2022 at 9:00 AM Alan DeKok <aland at>

> On Aug 12, 2022, at 8:51 AM, Chris Griffin <cgriffin352 at> wrote:
> >  I did a little debugging inside the code and found that
> > 'request_data_get' returns NULL so we never pass the conditional which
> > allows rad_postauth to be called.  Any other debug information that would
> > help?
>   You can try editing peap.c:
>                         /*
>                          *      We're not proxying it as EAP, so we've got
>                          *      to do the callback later.
>                          */
>                         if ((fake->options & RAD_REQUEST_OPTION_PROXY_EAP)
> != 0) {
>   just change that if
>                 if (1) {
>   And that *should* help.  Hopefully it doesn't break anything else.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list