Mark <[EMAIL PROTECTED]> wrote: > I've added the following lines to the users file to configure this: > > # Proxy just the tunnel > DEFAULT EAP-Type == MS-CHAP-V2, Auth-Type := EAP, Proxy-To-Realm := > mydomain
OK... so you're telling the server to use EAP authentication, and also telling it to proxy the request. That doesn't make sense. > # Decode the tunnel localy > DEFAULT Realm == "mydomain", Proxy-To-Realm := LOCAL, Auth-Type := EAP How do you know that line will match only the tunneled request? > Is this a bug or have I mis-configured it some how? It looks to me as > though it is reading the config items outside the tunnel rather than > the ones inside. I have attached the log file. The tunneled request is just another RADIUS request. It's processed through the "users" file just like any other request. The key here is that you're NOT matching the inner/outer tunnel data. Fix that. # # proxy the inner tunnel stuff DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := inner-mydomain If "[EMAIL PROTECTED]" is the username both inside AND outside of the tunnel, then DO NOT list "mydomain" as a realm. That will cause the server to proxy the outer session. Instead, create "inner-mydomain" in proxy.conf, which will never match a request. You can the use it to force proxying, when you want, and ONLY when you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
