<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style></head>
<body>
<body>How are you dealing with the challenge response. If you use eap ttls with pap them this is not an issue<br><br>alan<br><br>----- Reply message -----<br>From: "Josh Richard" <jrichar4@d.umn.edu><br>Date: Fri, Feb 25, 2011 17:59<br>Subject: Auth-Type Perl instead of Auth-Type EAP?<br>To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org><br><br></body>
<font size="2"><div class="PlainText">Hello list,<br>
<br>
After a bit of digging, I would like to ask a question to ensure this<br>
idea is even possible.<br>
:)<br>
<br>
I am running FR 2 on Debian.<br>
<br>
What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless<br>
SSID hook into the FR server above.<br>
<br>
The FR server currently is using rlm_perl to handle authentication and<br>
this does work with FR running with -x and a client test using<br>
radtest:<br>
<br>
Sending Access-Request of id 184 to <ip> port 1812<br>
User-Name = "jrichar4"<br>
User-Password = "removed"<br>
NAS-IP-Address = 127.0.1.1<br>
NAS-Port = 10<br>
rad_recv: Access-Accept packet from host <ip> port 1812, id=184, length=20<br>
<br>
on the server I see:<br>
<br>
rlm_perl: Added pair User-Name = jrichar4<br>
rlm_perl: Added pair User-Password = <removed><br>
rlm_perl: Added pair NAS-IP-Address = 127.0.1.1<br>
rlm_perl: Added pair NAS-Port = 10<br>
rlm_perl: Added pair Crypt-Password = <removed><br>
rlm_perl: Added pair Auth-Type = Perl<br>
<br>
I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius<br>
to proxy the lookup to a different production FR server containing the<br>
set of all users. Neat.<br>
I hope to use this server to flip VLANs using<br>
$RAD_REPLY{'Tunnel-Private-Group-ID'} based on an eventual db lookup<br>
to control wireless machine infections without mutzing with an<br>
existing server.<br>
<br>
When the SSID is wired in, we see this:<br>
<br>
[peap] Got inner identity 'jrichar4'<br>
# Executing section authorize from file<br>
/etc/freeradius/sites-enabled/inner-tunnel<br>
rlm_perl: Added pair User-Name = jrichar4<br>
rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61<br>
rlm_perl: Added pair EAP-Type = Identity<br>
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1<br>
rlm_perl: Added pair Crypt-Password = *<br>
rlm_perl: Added pair Auth-Type = EAP<br>
rlm_perl: Added pair Proxy-To-Realm = LOCAL<br>
rlm_perl: Added pair EAP-Type = MS-CHAP-V2<br>
<br>
I would prefer the use Auth-Type = Perl in the EAP inner tunnel. Is<br>
this possible? I am hoping something simple is amiss as this is close<br>
to working!<br>
<br>
I have only:<br>
DEFAULT Auth-Type = Perl<br>
in users.<br>
<br>
In inner tunnel I have:<br>
authenticate {<br>
....<br>
Auth-Type Perl {<br>
perl<br>
}<br>
...<br>
eap<br>
}<br>
<br>
Do I need to overload anything in eap.conf?<br>
<br>
Thank you all and kind regards,<br>
<br>
Josh Richard<br>
University of Minnesota Duluth<br>
USA<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br>
</div></font>
</body>
</html>