Can you clear something up for me with inner/outer identity. The outer
identity is in the User-Name attribute , it's a standard RADIUS
yep
attribute... Inner identity is encoded in the EAP message, and is pulled
yep
out by the EAP module prior to internal proxying and set as the
Arran Cudbard-Bell wrote:
...
It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
and proxy the inner EAP-MSCHAPv2 session as plain MS-CHAPv2.
Ah cool, thats actually really useful . Does only one packet need to be
proxied per EAP authentication ?
Yes.
Alan
Gah, my message bounced owing to change of email address...
Arran wrote:
Can you clear something up for me with inner/outer identity.
The outer identity is in the User-Name attribute , it's a standard
RADIUS attribute... Inner identity is encoded in the EAP message, and
is pulled out by
Josh Howlett wrote:
Gah, my message bounced owing to change of email address...
Arran wrote:
Can you clear something up for me with inner/outer identity.
The outer identity is in the User-Name attribute , it's a standard
RADIUS attribute... Inner identity is encoded in the EAP message,
Arran Cudbard-Bell wrote:
And indeed as the RFC states, the User-Identity needs to be set in the
access requests for none EAP aware proxies. I suspect FreeRADIUS may
count as one of these, as for all intensive purposes as it provides no
mechanism to proxy arbitrary segments of an EAP
Nope; see RFC 3579 for the gory details:
the NAS MUST copy the contents of the Type-Data field of the
EAP-Response/Identity received from the peer into the User-Name
attribute
See thats what I suspected, else how could the User-Name
attribute be populated in the access
Alan,
I do not want to terminate the EAP tunnels for the foreign realms, but I
have to terminate the local one (@tu-darmstadt.de and NULL) as I have to
forward the requests to a set of internal radius servers not capable of
speaking EAP.
Set Proxy-To-Realm := LOCAL for the realms you
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
And indeed as the RFC states, the User-Identity needs to be set in the
access requests for none EAP aware proxies. I suspect FreeRADIUS may
count as one of these, as for all intensive purposes as it provides no
mechanism to proxy arbitrary
Arran Cudbard-Bell wrote:
I'm not sure why that matters. the *NAS* sets User-Name in the
Access-Request. The proxying server doesn't have to do anything.
Well it needs to be able to read an identity of *some* kind, else how
would it know where to proxy the packets to .
The NAS
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
So the eap module extracts the attributes encoded in the eap message ? I
can see that working for EAP GTC and EAP PAP but not MschapV2 ?
It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
and proxy the inner
Arran Cudbard-Bell wrote:
I was just looking at the protocol filters, they look interesting and
will make a lot of people on the list happy ...
rlm_protocol_filter? I put that in 2 years ago, and I didn't think
anyone was using it...
Just finished building on my 32bit machine and ..
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
I was just looking at the protocol filters, they look interesting and
will make a lot of people on the list happy ...
rlm_protocol_filter? I put that in 2 years ago, and I didn't think
anyone was using it...
Well it's a little
Hi Helmut,
Is there a way to terminate the EAP regardless of the outer identity?
why do you want this. The EAP Tunnel should terminate on the last
RADIUS where the user belongs. On your RADIUS only the EAP-Tunnels for
your users should be terminating.
I do not want to terminate the EAP
Andreas Liebe wrote:
Hi Helmut,
Is there a way to terminate the EAP regardless of the outer identity?
why do you want this. The EAP Tunnel should terminate on the last
RADIUS where the user belongs. On your RADIUS only the EAP-Tunnels for
your users should be terminating.
Andreas Liebe wrote:
I do not want to terminate the EAP tunnels for the foreign realms, but I
have to terminate the local one (@tu-darmstadt.de and NULL) as I have to
forward the requests to a set of internal radius servers not capable of
speaking EAP.
Set Proxy-To-Realm := LOCAL for the
Alan DeKok wrote:
Andreas Liebe wrote:
I do not want to terminate the EAP tunnels for the foreign realms, but I
have to terminate the local one (@tu-darmstadt.de and NULL) as I have to
forward the requests to a set of internal radius servers not capable of
speaking EAP.
Set
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
So the eap module extracts the attributes encoded in the eap message ? I
can see that working for EAP GTC and EAP PAP but not MschapV2 ?
It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
and proxy the inner
Arran Cudbard-Bell wrote:
So the eap module extracts the attributes encoded in the eap message ? I
can see that working for EAP GTC and EAP PAP but not MschapV2 ?
It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
and proxy the inner EAP-MSCHAPv2 session as plain
Hello Andreas,
No we want to participate in inter University roaming (eduroam) and thus
have to proxy some requests a parent server. Everything works great
except regarding the outer identity.
If it's just anonymous everything is ok, but if it's
anonymous@somerealm and somerealm is
19 matches
Mail list logo
