Thank you, Stefan. This sounds like what I want to do. Since I am using OTP, passwords sent in clear text are ok (and required by the upstream OTP radius server). I hade the proxy setup, but it sounds like I need to figure out how to proxy just the inner tunnel request. I will check the inner-tunnel config even deeper and see what I can come up with. If you have any tip’s I am open. ;) Thanks, Alex
On Oct 24, 2014, at 11:01 AM, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
I was under the impression that, with EAP, it encapsulates the password in the EAP transmission. If I can only do EAP, then that means it can never send it in the clear. Which means, if I want to send the radius server the password in the clear (since its OTP) what I am doing can’t be done. Is this correct?
Alex,
When you receive an EAP access request, FreeRADIUS will pass the request on to the 'inner-tunnel' server (defined in /etc/raddb/sites-available/inner-tunnel). If you have an OTP server, you can then proxy the inner tunnel request to the OTP server. Of course, you then lose any of the protection that EAP-TTLS provides, but then again, if you're using PAP only, all bets are off anyway.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html