Alan DeKok wrote: > Arran Cudbard-Bell wrote: >> And indeed as the RFC states, the User-Identity needs to be set in the >> access requests for none EAP aware proxies. I suspect FreeRADIUS may >> count as one of these, as for all intensive purposes as it provides no >> mechanism to proxy arbitrary segments of an EAP conversation on inner >> identity alone. > > I'm not sure why that matters. the *NAS* sets User-Name in the > Access-Request. The proxying server doesn't have to do anything.
Well it needs to be able to read an identity of *some* kind, else how would it know where to proxy the packets to . Just saying it's not technically EAP aware in proxying mode, it doesn't matter, just academic discussion :) > >> Reason why I was asking is because most of the tests on the JRS test >> website seem to break when you base the reply in FreeRADIUS, on the >> inner identity as opposed to the outer identity. > > The "post-auth" section is run in the outer identity, so you can > re-write the reply to be whatever you want. > Yes but it still needs to grab various attributes from the SQL database, and I thought a different query was run for post-auth ... as in the one that logs reply packets ;) ? Maybe i'll move the defaults stuff to post-auth, as defaults set attributes using = , so can't overwrite anything set ealier in Authorize.... just fill in the blanks. > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
