Authentication problems depending on connection type

Alex Gregory alex at c2company.com
Thu Oct 30 18:25:28 CET 2014


Thank you, Stefan.  This sounds like what I want to do.  Since I am using OTP, passwords sent in clear text are ok (and required by the upstream OTP radius server).  I hade the proxy setup, but it sounds like I need to figure out how to proxy just the inner tunnel request.  I will check the inner-tunnel config even deeper and see what I can come up with.  If you have any tip’s I am open. ;)

Thanks,

Alex



> On Oct 24, 2014, at 11:01 AM, Stefan Paetow <Stefan.Paetow at ja.net> wrote:
> 
>> I was under the impression that, with EAP, it encapsulates the password in the EAP transmission.  
>> If I can only do EAP, then that means it can never send it in the clear.  Which means, if I want to send 
>> the radius server the password in the clear (since its OTP) what I am doing can’t be done.  Is this correct?
> 
> Alex, 
> 
> When you receive an EAP access request, FreeRADIUS will pass the request on to the 'inner-tunnel' server (defined in /etc/raddb/sites-available/inner-tunnel). If you have an OTP server, you can then proxy the inner tunnel request to the OTP server. Of course, you then lose any of the protection that EAP-TTLS provides, but then again, if you're using PAP only, all bets are off anyway.
> 
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
> 
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
> 
> Janet, the UK's research and education network.
> 
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list