proxy incoming PAP request as outgoing PEAP/TTLS requests

Ian Chang-張志邦 Ian.Chang at zyxel.com.tw
Tue Sep 22 06:21:33 CEST 2015


Hi,

Is it better do this in pam_radius_auth?

Thanks a lot.

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw at lists.freeradius.org] On Behalf Of Ian Chang-張志邦
Sent: Tuesday, September 22, 2015 9:25 AM
To: FreeRadius users mailing list
Subject: RE: proxy incoming PAP request as outgoing PEAP/TTLS requests

Hi Alan,

Thanks for your comment.
Actually, the captive portal backend service and the freeradius server are on the same device.
We would like to transfer the requests as PEAP/TTLS before the requests go out the device.

Thanks a lot.

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+ian.chang=zyxel.com.tw at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Tuesday, September 22, 2015 9:02 AM
To: FreeRadius users mailing list
Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests

On Sep 21, 2015, at 8:57 PM, Ian Chang-張志邦 <Ian.Chang at zyxel.com.tw> wrote:
> This is exactly we would like to do.
> captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server

  OK....

> As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default.

  That isn't true.

> Hence, we would like to proxy the PAP requests as PEAP/TTLS requests.
> It is better that we could authenticate with the upstream server in the tunnel.

  No.  That's not true, either.

  The whole point of EAP is that NO ONE outside of the end user, and home server know what the password is.  The access point doesn't know it.  The intermediate proxies don't know it.

  Since the captive portal already sees the PAP password, adding EAP is useless.  It's *worse* than useless because it's adding complexity for no benefit.

  This is like saying "locks as good.  But my house is old, and doesn't have a lock on the front door.  So I'll put a lock on the floor beside my bed.  That will help!"

  No, it won't help.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



More information about the Freeradius-Users mailing list