> >>> What I really need to do is proxy the inner message to another > >>> Radius server which will do the authentication but I cannot get this > >>> to work. Whatever I try, I always see an EAP-Message avp heading off > >>> to the remote server. I have looked at the proxy-inner-tunnel > >>> virtual server but am unsure how to use it. > > > >> This *is* proxying the inner tunnel; the inner tunnel auth is also > >> EAP, and you're sending it to the remote server. > > > > Thanks, this is NOT what I want to do. I want to send the inner > > message, not the tunnel and do PAP on the remote server.
> You can only do PAP on the remote server if your inner auth method was PAP. > Basically, this means EAP-TTLS/PAP. > Doing that is simple: > server inner-tunnel { > authorize { > update control { > Proxy-To-Realm := THEREALM > } > } > } > If this isn't working, send a debug from "radiusd -X" Many thanks Phil, that now works a treat. For other folks, the main trip up I had was the eapol config. Originally I had: network={ eap=TTLS eapol_flags=0 key_mgmt=IEEE8021X identity="testuser" password="testpassword" ca_cert="/home/carla/ca.pem" phase2="auth=TTLS" } As per the original page, but I really needed: network={ eap=TTLS eapol_flags=0 key_mgmt=IEEE8021X identity="testuser" password="testpassword" ca_cert="/home/carla/ca.pem" phase2="auth=PAP" } The "phase2" indicating the "inner" protocol. Obvious when you know! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html