Sorry, I just read your subject line. What is the request sent from the supplicant: PEAP or EAP-TTLS/PAP? Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, "Joakim Lindgren" <joakim.lindgren@gmail.com> piše:
Hi all, thanks for your explanation earlier!
I need your help with EAP-TTLS and PAP. I have earlier setup EAP-PEAP/EAP-TTLS and EAP-TLS working OK! I tried configuring the TTLS-PAP inner and outer tunnel but it will not work (and yes I have searched the forum, as always ;-)
Here are my explanation of what I´m trying to do:
A. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to "OTHER" (LOCAL) domain then the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I didn´t name the server ;-)
B. If an incoming user conn. against the FreeRadius Server (Nr1) is belonging to "SECURSERVER" domain then the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2).
I have tried several different conf. and as best I see requests coming to Radius Nr2 but the´re encrypted (Wireshark). The config files looks like this (as for now, thanks in advance!):
================================================================================================ eap.conf ========
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { }
leap { }
gtc {
auth_type = PAP }
tls {
private_key_password = password private_key_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem certificate_file = ${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes }
ttls {
default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes }
peap {
default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no } mschapv2 { } } ===END EAP======================================================================================
================================================ users ======== DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "SECURACCESS", Auth-Type := PAP DEFAULT Auth-Type != LDAP ================================================
================================================ Proxy.conf ======== realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL }
realm SECURACCESS { type = radius authhost = 192.168.1.75:1812 accthost = 192.168.1.75:1813 secret = toor # nostrip } ================================================
================================================================================================ radiusd.conf ========
.... modules {
pap { auto_header = yes }
chap { authtype = CHAP }
pam { pam_auth = radiusd }
unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp }
$INCLUDE ${confdir}/eap.conf
mschap { use_mppe = yes require_encryption = yes require_strong = yes }
ldap { server = "192.168.1.71" identity = "cn=admin,o=Contonso" password = "toor" basedn = "o=Contonso" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_mode = no tls_cacertfile = /etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = nspmPassword tls_require_cert = "allow" timeout = 4 timelimit = 3 net_timeout = 1 port = 389 edir_account_policy_check=yes }
realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no }
realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no }
....
authorize {
preprocess chap mschap suffix ntdomain eap files ldap pap }
authenticate {
Auth-Type PAP { pap }
Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap }
unix
Auth-Type LDAP { ldap } eap }
post-auth { ldap Post-Auth-Type REJECT { ldap }
}
===END radiusd.conf================================================================================
================================================ clients.conf ======== client 192.168.1.0/24 { secret = toor shortname = private-network-1 }
================================================