2008/9/2 Ivan Kalik <[EMAIL PROTECTED]>: > You are using outdated version of the server which doesn't support > virtual servers. In current version eap is processed by the default > virtual server while inner tunnel is processed by - inner-tunnel virtual > server. If you don't want to upgrade you can emulate this by using - > real ones. > > Set up another radius server with identical configuration which will > process inner tunnel requests. Add realm inner-tunnel to the current > server proxy.conf which will proxy requests to the new server. Add this > to users file: > > DEFAULT FreeRADIUS-Proxied-To = 127.0.0.1, Proxy-To-Realm := > "inner-tunnel" > > In that way stripped username will be sent to inner-tunnel server for > authentication (which you have showed to work). You can't simply > rewrite User-Name with Stripped-User-Name in your current setup because > EAP will fail. > > Ivan Kalik > Kalik Informatika ISP
Thank you for the detailed analysis and explanation. For now I think I'll stick with the Apple supplied version of radiusd - perhaps Mac OS X Server 10.5.5 will include a newer radiusd(!) - When Apple (or I) updates to the current version of radiusd, will my current configuration then work as expected or how will I need to alter the configuration? This morning I found an acceptable workaround that I will stick to for the moment: That is to create an alias for the user in the Open Directory. The user "u1" is now also known as "[EMAIL PROTECTED]" hence it will be authenticated ;-). I "only" need to alter a few houndred users (need to make a script i guess :), but I'll get a "cleaner" setup by only being dependant upon _one_ server for the radius authentication. Thank you again for you anlysis! - TvE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
