Hi,
Yes, JUAC is an inner EAP protocol, inside ttls or peap. In our setup, It must be prefered because I have powerfull client-side host-checking features allowing to deeply control a lot of things mainly on Microsoft and Apple workstations (update level, antivirus, and so on ...) Customer tried to make it work with the help of Juniper's engineers using SteelBelted in front doing proxy to UAC for inner JUAC, but they failed because there is some other EAP protocols present in the production network they have not been able to support after many weeks of efforts. I have proposed to replace SteelBelted by freeradius, and I succeed to pass initial testings, but my current setup was without inner-tunnel modules correctly configured, which makes there is a lot of unneeded ldap access (anonymous identities which does not exist in ldap backend and so on ...) and impossibility to configure seperately outer and inner (when present) author/authent ...
hmmm...apart from the Apple OSX support I'd be tempted to point you to the SVN of FreeRADIUS that contains microsoft NAC support - which lets you check windows stuff (anti virus present/up to date, windows updates, firewall etc) just using the built in supplicant in XP SP3, Vista and 7. it should be present in FreeRADIUS 2.2.x - but no OSX support yet...because I think that'll need additional program/supplicant code on the client. regarding you query though.....hmmm, you should be able to see the EAP-Type and do something in unlang to update the control socket....but as its the inner type that might be too late in the process. or maybe not. in inner-tunnel itself you can allow extra proxying to occur. its nasty and you'd be treading down a path that less people have worn...so take care. alan