Terminate TLS and proxy PEAP
fuki
lukas.akermann at unifr.ch
Thu Sep 13 13:52:45 CEST 2007
Phil Mayers wrote:
>
> On Thu, 2007-09-13 at 02:56 -0700, fuki wrote:
>>
>>
>> Phil Mayers wrote:
>> >
>> > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
>> >
>> > You can certainly terminate the PEAP and still proxy the inner
>> > EAP-MSCHAP to another radius server; however as far as I am aware,
>> > FreeRadius doesn't yet have support for the various health state
>> > attributes, or for that matter >1 set of data inside the PEAP tunnel.
>> >
>> > In particular if you are talking about the Vista built-in health check
>> > packets, that uses PEAPv2 which FreeRadius doesn't support, and you
>> > won't be able to terminate.
>> >
>>
>> Yes I'm talking about the Vista build-in health check packets. I used a
>> packet sniffer to analyze the submitted packets and compared them with
>> the
>> PEAPv2 specification
>> (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11,
>> 2.1.4. Version Negotiation). According the specification PEAP v0 is used
>> by
>> Vista, so it should be possible to use FreeRadius as proxy to decrypt the
>> packages, to analyze the health state (has to be implemented) and to
>> proxy
>> the inner
>> EAP-MSCHAP to another radius server?
>>
>
> Provided FreeRadius can parse the PEAP contents (which it can't) then
> yes, sending the inner EAP-MSCHAP to another server is easy:
>
> DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo"
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
Based on
http://lists.freeradius.org/pipermail/freeradius-users/2005-March/042098.html
I got the following idea (it's suggested to work with FreeRadius):
RADIUS Client <- PEAP (eap-mschapv2) -> FreeRadius Proxy (tsl termination
and conversion) <- mschapv2 -> RADIUS Server
Are there any comments for this recommendation. If it works, does somebody
now how to configure the FreeRadius proxy?
--
View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12653324
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list