[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: question re inner tunnel / virtual server
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2011-04-25 6:47:46
Message-ID: 4DB51912.9050409 () deployingradius ! com
[Download RAW message or body]

Michael Arndt wrote:
> i try to get a better grip in understanding the virtual server for inner eap
> tunnel. 

  The TLS-based EAP methods involve setting up a TLS tunnel between the
client PC and the RADIUS server.  Processing of the TLS tunnel is done
by the "default" virtual server.  Just the same as CHAP, PAP, EAP-MD5, etc.

  Once the TLS tunnel is set up, authentication data is sent inside of
the tunnel.  The server treats this data just as if it was another
authentication request, *but* processes it through the "inner-tunnel"
virtual server.  This allows the inner-tunnel policies to be different
from the ones for the "default" virtual server.

  The policies *should* be different because it's a different kind of
authentication: inside of a TLS tunnel.

> -The eap module can map  tunneled requests to a virtual server ( inner tunnel )

  That's vague to the point of being meaningless.  What's "map" ?

> - It "knows" where to communicate by freeradius reading the virtual servers
> configs in sites-enabled

  I have no idea what that means.

> -So the Port configured for the inner tunnel virtual server (statement  valid only \
> for this inner tunnel VS)  is only relevant wrt external  for testing purposes in \
> order to test correct freeradius config wrt EAP

  That sounds right.

> -freeradius handles the communication to the inner tunnel with the above mentioned
> mapping of the eap module. So in productive use there is no need to reference
> the Port for the inner tunnel ( except when proxying  or using the test for EAP to \
> check for a valid config )

  No.  Proxying has nothing to do with the "listen" section in the
inner-tunnel.

> -the main goal of the inner tunnel virtual server is to allow
> completely independent policies for  outer / inner tunneled sessions. 

  Yes.

  When trying to understand things, keep the descriptions concrete, and
fact-based.  Saying requests can "map" to something is vague.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]