proxy EAP/PAP ?

Tim Winders twinders at southplainscollege.edu
Wed Sep 21 21:12:22 CEST 2005


I haven't heard from anyone, so, I have been doing A LOT of
experimentation...

So far, I have it working, but, it's a bit goofy.

I have freeradius-1.0.5 running on RedHat Linux using a default ./configure
and installation.

I modified the radiusd.conf/users/proxy.conf files to support eap/pap from a
Windows client, and proxying to my Tru64 box running Livingston radius.

I am using the SecureW2 3.1 supplicant for Windows XP.  I had to monkey
around with the outer settings.  I discovered that if using the default
anonymous outer identity that the realm in the user dialog box is sent with
the anonymous outer identity.

So, if I setup a NULL realm to proxy in freeradius, then anonymous would try
to be proxied to my Tru64 box and would always fail.

I setup a southplainscollege.edu realm to proxy and put in
twinders at southplainscollege.edu in the user credentials in SecureW2, but
then it would send anonymous at southplainscollege.edu as the outer identity
and it would be proxied and fail.

Finally, I removed the NULL realm from proxying, and in the outer identity I
typed in anonymous, rather than using the default anonymous option.  In the
user credentials, I put in twinders at southplainscollege.edu.  With this
setup, anonymous would be sent, no NULL realm would be found and it would be
authenticated against freeradius properly as an EAP session.  It would then
strip southplainscollege.edu from my user credentials and proxy that to the
Tru64 box and it would be authenticated.

So, after MUCH monkeying around, I have this working.

Is the sending of the realm with the default anonymous outer identity the
expected behavior?  Should I ask the SecureW2 group about the behaviour I am
seeing?

Hope this helps someone else.  Thanks!

---

Tim Winders
Associate Dean of Information Technology
South Plains College
Levelland, TX 79336 

Problem replying to my email?  Click the "Sign" button in the OE toolbar or,
better yet, get your own FREE Personal E-Mail Digital ID:
http://www.thawte.com/email/index.html 

> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org 
> [mailto:freeradius-users-bounces at lists.freeradius.org] On 
> Behalf Of Tim Winders
> Sent: Tuesday, September 20, 2005 2:41 PM
> To: freeradius-users at lists.freeradius.org
> Subject: proxy EAP/PAP ?
> 
> Hello All -
> 
> As I can't seem to get freeradius working on my Tru64 box and 
> my box seems
> to be "broken" I thought I'd try to install freeradius on a 
> RHEL box and use
> the fr proxy feature to proxy back to my Tru64 box running 
> the Livinginston
> Radius server.
> 
> My question, I want to be able to authenticate against the 
> Tru64 passwd user
> database from a Windows client connected to a wireless AP running WPA.
> 
> When I had a working fr on the Tru64 box, I was able to use 
> the SecureW2
> supplicant on XP with EAP/PAP to authenticate against passwd 
> and it worked
> great.
> 
> So, now, if I am running a non-EAP aware radius on the Tru64, 
> and freeradius
> on a Linux box proxying to the Tru64 box, will I be able to do EAP/PAP
> authentication?  I'm ready the proxy doc, but, I don't see 
> anything about
> that, or if it's even applicable.
> 
> ---
> 
> Tim Winders
> Associate Dean of Information Technology
> South Plains College
> Levelland, TX 79336 
> 
> Problem replying to my email?  Click the "Sign" button in the 
> OE toolbar or,
> better yet, get your own FREE Personal E-Mail Digital ID:
> http://www.thawte.com/email/index.html
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Tim Winders.vcf
Type: text/x-vcard
Size: 1343 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050921/9b6f3dec/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3052 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050921/9b6f3dec/attachment.bin>


More information about the Freeradius-Users mailing list