Sylvain Robitaille wrote: > I apologize if I'm seeming dense, or leaving the impression that I > haven't read documentation that you've already pointed me at. I *have* > read that documentation, but I think the problem is that I'm struggling > to wrap my head around the details, perhaps because it seems that not > only are there many options, but there seem to be indeed several ways > that the same result *might* be achieved.
There is functionality in the server that's historical. The new "unlang" is generally preferred for anything resembling a complex configuration. > Ok, I think I see it now. The debug output from the inner-tunnel starts > here then? Yes. EAP-TTLS does PAP inside of a Diameter AVP inside of a TLS tunnel, which is encapsulated in the TTLS EAP method, which is encapsulated inside of a RADIUS EAP-Message attribute, which goes into a RADIUS packet, over UDP, IP, and Ethernet. See? Nothing could be simpler. <umm..> > Well, I'm trying these options and configurations because I do really > want to accomplish the result I'm after. That I've been doing it all > wrong is simply an indication that I *still* haven't understood the way > the server functions. I promise that it isn't because I'm not trying. :-( EAP-TTLS sets up a TLS tunnel between the server and the end machine (XP, Linux, etc.). It then does a normal authentication request inside of the tunnel. But since the NAS can't see inside of the tunnel, there are no NAS attributes inside of the tunnel. > Hrmmm... I just spotted why I didn't understand that previously from > "man unlang", but rather needed you to explain it to me directly: .. > It talks about being able to *update* items in the outer request In the documentation about the "update" section. The later documentation about attribute references says you can make references to lists... > I'd offer to patch the documentation to make it clear that the > inner-tunnel can reference *attributes* from the outer request using > "outer.Attribute-Name", but it seems despite all I've learned from all > of these experiments and from the help I've gotten on the mailing list, I > have only scratched the surface of what there is to know about FreeRadius, > and I would likely write yet more partially-correct-at-best third-party > documentation that folks really shouldn't follow. :-( I'm trying to write a book, honest. I think I should probably just give up, and put the 200 pages I have up on the net for review. > Once again, thanks for ALL the help. I think I now have everything I > need to do exactly what I want. See? It's easy... just run into a couple of bugs, bang your head against the wall, and you've got it made... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
