Josh Richard wrote:
What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless SSID hook into the FR server above.
OK...
The FR server currently is using rlm_perl to handle authentication and
Please, no. Authentication includes things like EAP. Doing EAP in Perl is not a good idea.
I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius to proxy the lookup to a different production FR server containing the set of all users. Neat.
Uh... that is an incredibly bad idea. FreeRADIUS already does proxying. Why do it in Perl? You're going to get it wrong.
When the SSID is wired in, we see this:
[peap] Got inner identity 'jrichar4' # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel rlm_perl: Added pair User-Name = jrichar4 rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61 rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Crypt-Password = * rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2
I would prefer the use Auth-Type = Perl in the EAP inner tunnel. Is this possible?
Yes. See raddb/sites-enabled/inner-tunnel
Do I need to overload anything in eap.conf?
No. But in general, this is a terrible idea. FreeRADIUS has proxying and DB plugins. Redoing all of that in Perl is asking for un-needed complexity. Alan DeKok.