On 13/08/15 14:13, Matthew Newton wrote:
On Thu, Aug 13, 2015 at 03:05:04PM +0200, Basile Bluntschli wrote:
My switch will have the radius server A configured. All radius requests will be sent to the radius server A. If supplicant X wants to authenticate with PEAP, radius server A would handle the full request. If Supplicant Z wants to authenticate with EAP-TLS radius server A would proxy the whole request to Radius Server B.
Is there a way to do this?
First thing that comes to mind is to look at the EAP type in the incoming EAP-Message, and update proxy-to-realm if it's EAP-TLS. Something like this:
if (EAP-Message =~ /^0x........0d/) { update control { Proxy-To-Realm := 'remote_realm' } else { eap }
but there may be cleaner ways to do it.
I wondered about that; what about the EAP-Identity packet?