...
Note that one parameter for both the ttls and peap stanza is "virtual_server = eduroam-inner-tunnel". This means that the inner EAP authentication will be carried out in this other virtual server, which we will define later.
Virtual server eduroam: enable EAP, make Operator-Name conditional
Compared to the eduroam SP config, you simply need to additionally mention the "eap" module in both the authorize and authenticate stanza of the file /etc/raddb/sites-enabled/eduroam . It will then look like the following: so that your server can process EAP requests from your own userbase.
You should also make sure to only tag those incoming requests with the Operator-Name attribute which actually originate from your own WiFi gear - as an IdP, your own users roaming elsewhere will also be processed, but they should not carry your own Operator-Name. For the purposes of this wiki, let's assume that you are connected to one FLR server, and it is defined in your clients.conf with the shortname "antarctica-flr-1" (see below for the exact definition).
It will then look like the following:
| Code Block |
|---|
authorize { if (%{client.shortname} != "antarctica-flr-1") update request { Operator-Name := 1yourdomain.tld # the literal number "1" above is an important prefix! Do not change it! } auth_log suffix eap } |
| Code Block |
authorize {
auth_log
suffix
eap
}
authenticate {
eap
}
|
Virtual server eduroam-inner-tunnel
...