Proxy EAP-TLS request after successful authorization with eap module
Alan DeKok
aland at deployingradius.com
Tue Oct 17 13:50:42 CEST 2017
On Oct 17, 2017, at 3:26 AM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> Should be possible, just call eap in authorise with method override.
>
> i.e.
>
> authorize {
> eap
>
> if (&control:Auth-Type == EAP) {
> eap.authenticate
> }
> }
Oh god... that might actually work.
You'd also have to delete the Auth-Type := EAP, too. And maybe add an "Auth-Type noop", with a "noop" thing there. Because the server really does expect to run an authenticate method.
> The trick there is determining when EAP has actually finished. I'd look and
> see if the return code of eap.authenticate changes on the final round
> after the user has been accepted, and use that as the trigger to proxy
> the final request to an upstream server.
>
> eap.authenticate
> if (ok) {
> update control {
> Proxy-To-Realm := 'foo'
> }
> }
That should work. The EAP module returns "ok" only when the user is authenticated.
The other problem is that the reply from the home server will over-ride the reply from the EAP module. So you have to cache the EAP reply (just one EAP-Message), and re-add it after you get the reply from the home server.
I'll see if I can do some testing today...
> If the return code doesn't change, then the outcome might be available
> somewhere else, but that'd require some digging.
>
> I don't think the inner tunnel runs for EAP-TLS? At least there's no reason
> for it to.
It's allowed for identity privacy. i.e. use an anonymous outer ID, and then send the certificate via the inner-tunnel.
Alan DeKok.
More information about the Freeradius-Users
mailing list