Hello Peter,
Try to look at "attr_filter" section and configure it as you wishes:
In your radiusd.conf:
attr_filter attr_filter.post-proxy {
attrsfile = ${some path}/attrs.post-proxy
}
This file may contains similar information:
DEFAULT
User-Name =* ANY,
Reply-Message =* ANY,
State =* ANY,
Class =* ANY,
Message-Authenticator =* ANY,
Calling-Station-ID =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY
State and EAP-Message are needed for EAP.
User-Name is for proxying to the right destination.
If you do not put "User-Password" in this file, you will have this
argument removed.
Some institition will do PEAP instead of EAP-TTLS. It's most likely a
bad idea to do processing on EAP-Message.
Regards,
Vincent
Peter Eriksson <[EMAIL PROTECTED]> a écrit :
One thing I'd like to achive in the "EDUROAM"-responsible RADIUS
"router" (server) is to make sure that *only* EAP-TTLS requests are
forwarded to the RADIUS server doing the real user authentication.
Anyone got something already configured that I could copy?
Ie, I would like to make sure that it will reject requests that
come in from the outside with user+password stuff sent in cleartext.
(And also make sure itself won't send out such requests).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
