Terminate EAP in FreeRADIUS and do authentication in other RADIUS server.

Sat Oct 27 00:08:27 CEST 2007

Hi

I want to do 802.1x PEAP authentication on FreeRADIUS. Authentication
(username/password checking) needs to be done on another RADIUS server
(Safeword server), which is uncapable to handle EAP requests.

What I do have working:
* PEAP with users in a local MySQL database on the FreeRADIUS server
* proxy simple authentication requests to Safeword server

I have configured all kinds of options suggested in this list to try to
terminate the EAP tunnel in FreeRADIUS, but still EAP messages are sent to
the Safeword server:
An RADIUS Access-Request is sent, with these attribute value pairs:
EAP-Message
User-Name
NAS-IP-Address
Message-Authenticator
Proxy-State

I should expect a RADIUS Access-Request with these attribute value pairs:
User-Name
User-Password
NAS-IP-Address
NAS-Port
Proxy-State

What am I doing wrong?

I have this in my users file:
NULL    Proxy-To-Realm := LOCAL
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := Safeword

I have this in proxy.conf:

realm LOCAL {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}

realm Safeword {
        type = radius
        authhost        = <ip>:1645
        accthost        = <ip>:1646
        secret          = <secret>
        }

Ronald
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3102 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071027/b1bfc90c/attachment.bin>