Hi

 

We have a radius server which does not understand EAP and we are using Free Radius as EAP-PEAP-GTC proxy-inner-tunnel.

 

As the present code does not set User-Password in EAP-PEAP-GTC mode so we made the following code changes:

 

1. File:  src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c

    In function gtc_initiate(void *type_data, EAP_HANDLER *handler)

    Added following lines with reference to  the src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c file

   #ifdef WITH_PROXY

        /*

         *      The EAP session doesn't have enough information to

         *      proxy the "inside EAP" protocol.  Disable EAP proxying.

         */

        handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;

    #endif

 

2. We also added the following  functions in rlm_eap_gtc.c file

      static int gtc_postproxy(EAP_HANDLER *handler, void *tunnel_data)

      This functions doesn’t seem to be called.

 

3. gtc_autheticate changes:

#ifdef WITH_PROXY

        /*

         *      If this options is set, then we do NOT authenticate the

         *      user here.  Instead, now that we've added the PAP

         *      attributes to the request, we STOP, and let the outer

         *      tunnel code handle it.

         *

         *      This means that the outer tunnel code will DELETE the

         *      EAP attributes, and proxy the PAP attributes to a

         *      home server.

         */

        if (handler->request->options & RAD_REQUEST_OPTION_PROXY_EAP) {

 

                /*

                 *      Set up the callbacks for the tunnel

                */

                eap_tunnel_data_t *tunnel;

                tunnel = rad_malloc(sizeof(*tunnel));

                memset(tunnel, 0, sizeof(*tunnel));

 

                tunnel->tls_session = type_data;

                tunnel->callback = gtc_postproxy;

 

                /*

                 *      Associate the callback with the request.

                */

                rcode = request_data_add(handler->request,

                                         handler->request->proxy,

                                         REQUEST_DATA_EAP_TUNNEL_CALLBACK,

                                         tunnel, free);

                rad_assert(rcode == 0);

 

                pairdelete(&handler->request->packet->vps, PW_STATE);

 

                return 1;

        }

#endif

 

The modified rlm_eap_gtc.c is attached for reference.

 

With these code changes we are able to set the User-Password in EAP-PEAP-GTC proxy mode. Also, debug message from gtc_postproxy is not visible in the log file.

 

However, when the proxied-to RADIUS Server throws Access-Challenge the same is not  forwarded by Free RADIUS to the client i.e. Reply-Message is stripped by Free RADIUS.

 

Please let us know how to convert the Reply-Message as challenge for the client.

 

Thanks n regards

Sankalp Dubey