Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?

Max Palatnik mpalatnik at wustl.edu
Fri Jul 10 22:30:16 CEST 2009


I can't believe it.  We had a line in our hints file that was totally 
screwing us up -- I had no idea it was there until just now:


DEFAULT Prefix == "anonymous", Strip-User-Name = No
        Realm = "LOCAL"

This is why I couldn't understand what you guys were talking about, 
since we always use anonymous as our outer-identity for TLS type 
connections, I could not for the life of me figure out why adding a 
server to the proxy.conf would ever work.  Is it possible to select 
based on EAP-type (i.e. if TTLS, do LOCAL authentication?)  Right not we 
are doing it based on prefix/suffix.

Regardless, I think we have this solved now.  This problem was way 
easier than we thought once we got a grasp on all of the processing we 
were doing.  Argh!  Thank you Ivan & Alan for pointing us in the right 
direction.

Sincerely,
 Max

A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>   
>> What we are wondering is if its possible to still have requests come  
>> through to our freeradius box, and instead of providing the certificate  
>> and proxying the contents of the inner tunnel to the AD box.. if its  
>> possible to simply proxy the entire request, PEAP/MSCHAP and all  
>> directly to their AD servers?  They are hesitant to allow our freeradius  
>> box to join the domain, and if its doable, a workaround would be the  
>> preferred route.
>>     
>
> yes, sure you can - they'll have to run IAS or NPS (ad2003 or ad2008 etc)
> and then you simply proxy the whole shaboodle off to them to deal with
> - then you dont need to play around with ntlm_auth etc etc. of course,
> they'll have to put required certs onto their auth system but thats a minor
> issue. 
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   



More information about the Freeradius-Users mailing list