Added notes on inner/outer tunnel identities being different.

	Enable "inner-tunnel" by default, and install it.
	Also by default, do NOT proxy inner tunnel sessions.

diff --git a/raddb/Makefile b/raddb/Makefile
index 20514a9..6a10069 100644 (file)
--- a/raddb/Makefile
+++ b/raddb/Makefile
@@ -75,5 +75,9 @@ install:
                cd $(R)$(raddbdir)/sites-enabled/; \
                ln -s ../sites-available/default; \
        fi
+       if [ ! -f $(R)$(raddbdir)/sites-enabled/inner-tunnel ]; then \
+               cd $(R)$(raddbdir)/sites-enabled/; \
+               ln -s ../sites-available/inner-tunnel; \
+       fi
 
 clean:

diff --git a/raddb/eap.conf b/raddb/eap.conf
index e942d11..48025ad 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -11,8 +11,8 @@
 #  common side effect of setting 'Auth-Type := EAP' is that the
 #  users then cannot use ANY other authentication method.
 #
-# EAP types NOT listed here may be supported via the "eap2" module.
-# See experimental.conf for documentation.
+#  EAP types NOT listed here may be supported via the "eap2" module.
+#  See experimental.conf for documentation.
 #
        eap {
                #  Invoke the default supported EAP type when
@@ -323,7 +323,7 @@
                        #  the virtual server that processed the
                        #  outer requests.
                        #
-                       #virtual_server = "inner-tunnel"
+                       virtual_server = "inner-tunnel"
                }
 
                ##################################################
@@ -406,7 +406,7 @@
                        #  the virtual server that processed the
                        #  outer requests.
                        #
-                       #virtual_server = "inner-tunnel"
+                       virtual_server = "inner-tunnel"
                }
 
                #

diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel
index bad8cc4..2059e23 100644 (file)
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -52,10 +52,32 @@ authorize {
        #  Otherwise, when the first style of realm doesn't match,
        #  the other styles won't be checked.
        #
+       #  Note that proxying the inner tunnel authentication means
+       #  that the user MAY use one identity in the outer session
+       #  (e.g. "anonymous", and a different one here
+       #  (e.g. "user@example.com").  The inner session will then be
+       #  proxied elsewhere for authentication.  If you are not
+       #  careful, this means that the user can cause you to forward
+       #  the authentication to another RADIUS server, and have the
+       #  accounting logs *not* sent to the other server.  This makes
+       #  it difficult to bill people for their network activity.
+       #
        suffix
 #      ntdomain
 
        #
+       #  The "suffix" module takes care of stripping the domain
+       #  (e.g. "@example.com") from the User-Name attribute, and the
+       #  next few lines ensure that the request is not proxied.
+       #
+       #  If you want the inner tunnel request to be proxied, delete
+       #  the next few lines.
+       #
+       update control {
+              Proxy-To-Realm := LOCAL
+       }
+
+       #
        #  This module takes care of EAP-MSCHAPv2 authentication.
        #
        #  It also sets the EAP-Type attribute in the request