Re: Adding proxying to our EAP setup
Dave Mussulman <mussulma@uiuc.edu> wrote:
> What's the recommended way to configure failover proxying/realms when
> there's no realm-ish identifier? When "user" logs in, I want them to
> check against ntlm_auth, and if that fails, resort back to a proxied
> realm as "user".
That's a little difficult to do, because the "do proxy" code isn't
tied into the "authenticate" section. Instead, you could look the
user up in LDAP, and if they're not found, set "Proxy-To-Realm :=
foo", where "foo" is a normal realm.
> Right now, I'm doing that via the default config realm suffix {}
> module, and a realm NULL section in proxy.conf. Is there a better
> way? Hints or something? Does this involve the
> configurable_failover documentation?
Yes.
> Second question involves proxies and EAP. Since my upstream RADIUS
> server I'm proxying to doesn't seem to support EAP, is it even possible
> for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a
> 'normal' RADIUS packet to relay?
Yes. You can proxy the inner EAP-MSCHAPv2 session as MS-CHAPv2.
Read "eap.conf".
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.