Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP

Ryan majereryan at gmail.com
Mon Mar 24 10:27:09 CET 2008 

I enabled MS-CHAP on the radius whereby the request is to be proxied
to. Using the configuration mentioned in
http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069292.html
as a guide, I was able to configure the radius to proxy the request as
plain MS-CHAP however encounter some problems when the response is
returned.

Will address this in a separate message as the subject is no longer appropriate.

Regards,
Ryan

On Mon, Mar 24, 2008 at 10:30 AM, Ryan <majereryan at gmail.com> wrote:
> Ok, thanks for pointing this out.
>
>  I suppose I will have to either enable EAP on the radius for the EAP
>  request to be proxied or have MSCHAP configured on it. Though using
>  EAP will means I need to recompile the radius as I'm using the source
>  packages. The radius that I need to proxy to runs 1.1.7 with LDAP.
>
>  Do you have any advise on which will be a better approach?
>
>  Thanks/Regards,
>  Ryan
>
>  >  You can't do that. Inner tunnel for PEAP is EAP-MSCHAPv2 and you can
>  >  proxy that. You can't transform that into PAP. If you have a look at
>  >  the thread you have quoted you will see that his users were using
>  >  EAP-TTLS PAP not PEAP.
>  >
>  >  Ivan Kalik
>  >  Kalik Informatika ISP
>  >
>  >
>  >  Dana 22/3/2008, "Ryan" <majereryan at gmail.com> pi?e:
>  >
>  >  >Sorry for being not specific enough. Was thinking of understanding how
>  >  >it works and then figure out the configuration myself.
>  >  >
>  >  >Basically I need to terminate a request that uses EAP/PEAP on the main
>  >  >radius and proxy the request to an inner radius server for
>  >  >authentication using PAP. What will I need to configure in order to
>  >  >get it forwarded correctly?
>  >  >
>  >  >Thanks/Regards,
>  >  >Ryan
>  >  >
>  >  >Ryan wrote:
>  >  >> Just read through some of the messages available on proxy tunneling.
>  >  >> I'm currently using 2.0.2 and read through the examples on inner
>  >  >> tunnel which seems to be able to do what I need. Can someone help by
>  >  >> providing more details on how it actually works?
>  >  >
>  >  > PEAP authentication is really SSL + authentication inside of the SSL
>  >  >tunnel.  So... the server handles authentication "outside" of the
>  >  >tunnel, and authentication "inside" of the tunnel as independent
>  >  >authentications.
>  >  >
>  >  > Do you have *specific* questions?  Asking "how does it work" is rather
>  >  >open-ended.
>  >  >
>  >  > Alan DeKok.
>  >  >-
>  >  >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  >  >
>  >  >
>

More information about the Freeradius-Users mailing list