Hi all, thanks for your explanation earlier!<br> <br>I need your help with EAP-TTLS and PAP. I have earlier setup EAP-PEAP/EAP-TTLS and EAP-TLS working OK!<br>I tried configuring the TTLS-PAP inner and outer tunnel but it will not work<br>
(and yes I have searched the forum, as always ;-)<br> <br>Here are my explanation of what Iīm trying to do:<br><br>A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to "OTHER" (LOCAL) domain then<br>
the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I didnīt name the server ;-)<br><br>B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to "SECURSERVER" domain then<br>
the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2).<br><br>I have tried several different conf. and as best I see requests coming to Radius Nr2 but theīre encrypted (Wireshark).<br>The config files looks like this (as for now, thanks in advance!):<br>
<br>================================================================================================<br>eap.conf<br>========<br><br><br><br> eap {<br> default_eap_type = ttls<br> timer_expire = 60<br>
ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> md5 {<br> }<br><br> <br> leap {<br> }<br><br> <br> gtc {<br>
<br><br> auth_type = PAP<br> }<br><br><br> tls {<br><br> private_key_password = password<br> private_key_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem<br>
certificate_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem<br> CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem<br> dh_file = ${raddbdir}/certs/dh<br>
random_file = ${raddbdir}/certs/random<br> fragment_size = 1024<br> include_length = yes<br> }<br><br> ttls {<br><br> default_eap_type = md5<br>
copy_request_to_tunnel = yes<br> use_tunneled_reply = yes<br> }<br><br> peap {<br><br> default_eap_type = mschapv2<br> proxy_tunneled_request_as_eap = no<br>
}<br> mschapv2 {<br> }<br> }<br>===END EAP======================================================================================<br><br><br><br><br><br><br>================================================<br>
users<br>========<br>DEFAULT FreeRADIUS-Proxied-To !* <a href="http://127.0.0.1">127.0.0.1</a>, Proxy-To-Realm := LOCAL<br>DEFAULT FreeRADIUS-Proxied-To == <a href="http://127.0.0.1">127.0.0.1</a>, Proxy-To-Realm := "SECURACCESS", Auth-Type := PAP<br>
DEFAULT Auth-Type != LDAP<br>================================================<br><br><br><br><br><br>================================================<br>Proxy.conf<br>========<br>realm LOCAL {<br> type = radius<br>
authhost = LOCAL<br> accthost = LOCAL<br>}<br><br>realm SECURACCESS {<br> type = radius<br> authhost = <a href="http://192.168.1.75:1812">192.168.1.75:1812</a><br>
accthost = <a href="http://192.168.1.75:1813">192.168.1.75:1813</a><br> secret = toor<br># nostrip<br>}<br>================================================<br><br><br><br><br><br>================================================================================================<br>
radiusd.conf<br>========<br><br>...<br>modules {<br><br> pap {<br> auto_header = yes<br> }<br><br> chap {<br> authtype = CHAP<br> }<br><br><br> pam {<br> pam_auth = radiusd<br>
}<br><br><br> unix {<br> cache = no<br> cache_reload = 600<br> radwtmp = ${logdir}/radwtmp<br> }<br><br><br>$INCLUDE ${confdir}/eap.conf<br><br><br> mschap {<br>
use_mppe = yes<br> require_encryption = yes<br> require_strong = yes<br>}<br><br><br>ldap {<br> server = "<a href="http://192.168.1.71">192.168.1.71</a>"<br> identity = "cn=admin,o=Contonso"<br>
password = "toor"<br> basedn = "o=Contonso"<br> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<br> start_tls = yes<br> tls_mode = no<br>
tls_cacertfile = /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem<br> dictionary_mapping = ${raddbdir}/ldap.attrmap<br> ldap_connections_number = 5<br> password_attribute = nspmPassword<br>
tls_require_cert = "allow"<br> timeout = 4<br> timelimit = 3<br> net_timeout = 1<br> port = 389<br> edir_account_policy_check=yes<br>
}<br><br><br> realm suffix {<br> format = suffix<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no<br> }<br><br><br> realm ntdomain {<br>
format = prefix<br> delimiter = "\\"<br> ignore_default = no<br> ignore_null = no<br> }<br><br><br>...<br><br>authorize {<br><br> preprocess<br>
chap<br> mschap<br> suffix<br> ntdomain<br> eap<br> files<br> ldap<br> pap<br>}<br><br><br><br>authenticate {<br><br> Auth-Type PAP {<br> pap<br> }<br><br> Auth-Type CHAP {<br>
chap<br> }<br> Auth-Type MS-CHAP {<br> mschap<br> }<br><br> unix<br><br> Auth-Type LDAP {<br> ldap<br> }<br> eap<br>}<br><br><br>
post-auth {<br> ldap<br> Post-Auth-Type REJECT {<br> ldap<br> }<br><br>}<br><br>===END radiusd.conf================================================================================<br><br><br><br><br><br>
<br>================================================<br>clients.conf<br>========<br>client <a href="http://192.168.1.0/24">192.168.1.0/24</a> {<br> secret = toor<br> shortname = private-network-1<br>
}<br><br>================================================<br>