post-auth for proxied peap inner

Phil Mayers p.mayers at imperial.ac.uk
Sat Oct 26 20:28:19 CEST 2013


On 25/10/2013 18:18, Alan DeKok wrote:
> Phil Mayers wrote:
>> We have a need to run the post-auth section on proxied peap/ttls inner
>> (proxied as EAP - none of the crazy packet mangling hacks). 2.x doesn't
>> do this, I haven't checked 3.x but assume it's unchanged?
>
>    Actually, 2.2.1 should do this.
>
>> I've tried a few crazy hacks in the source but it all explodes; does
>> anyone have any insight into what needs doing?
>
>    Magic.  It's always magic.

I'm having a *really* hard time understanding how this works at all; I 
don't get how the code in peap.c:~1126 actually causes a proxy request 
to be sent; ultimately it's all called via rad_authenticate, which only 
seems to check/process request->proxy after authorize, when rlm_eap does 
all it's work in authenticate.

Put another way - the original PEAP request containing the PEAP inner 
comes into rad_authenticate via listen.c - I don't see how, once TLS is 
decoded and peap.c has run the fake request via the inner tunnel server, 
how the proxy packet gets sent and replied to.

(The reason for wanting to know this is to understand where to put the 
processing code so that the "fake" can be pushed through post-auth 
correctly without breaking "proxy as non-EAP" workaround)


More information about the Freeradius-Devel mailing list