cd $(R)$(raddbdir)/sites-enabled/; \
ln -s ../sites-available/default; \
fi
+ if [ ! -f $(R)$(raddbdir)/sites-enabled/inner-tunnel ]; then \
+ cd $(R)$(raddbdir)/sites-enabled/; \
+ ln -s ../sites-available/inner-tunnel; \
+ fi
clean:
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
-# EAP types NOT listed here may be supported via the "eap2" module.
-# See experimental.conf for documentation.
+# EAP types NOT listed here may be supported via the "eap2" module.
+# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# the virtual server that processed the
# outer requests.
#
- #virtual_server = "inner-tunnel"
+ virtual_server = "inner-tunnel"
}
##################################################
# the virtual server that processed the
# outer requests.
#
- #virtual_server = "inner-tunnel"
+ virtual_server = "inner-tunnel"
}
#
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
+ # Note that proxying the inner tunnel authentication means
+ # that the user MAY use one identity in the outer session
+ # (e.g. "anonymous", and a different one here
+ # (e.g. "user@example.com"). The inner session will then be
+ # proxied elsewhere for authentication. If you are not
+ # careful, this means that the user can cause you to forward
+ # the authentication to another RADIUS server, and have the
+ # accounting logs *not* sent to the other server. This makes
+ # it difficult to bill people for their network activity.
+ #
suffix
# ntdomain
#
+ # The "suffix" module takes care of stripping the domain
+ # (e.g. "@example.com") from the User-Name attribute, and the
+ # next few lines ensure that the request is not proxied.
+ #
+ # If you want the inner tunnel request to be proxied, delete
+ # the next few lines.
+ #
+ update control {
+ Proxy-To-Realm := LOCAL
+ }
+
+ #
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request