On Oct 19, 2017, at 11:19 PM, work vlpl <thework.vlpl@gmail.com> wrote:
On the step 2 and 3, when proxy radius server analyze username, I want to analyze real username, not the outer anonymous identity. To do that I handle eap message on proxy radius server.
The RADIUS server has to do EAP. The "real" username is available only in the inner-tunnel.
Then, if username not belongs to certain group I handle request on proxy server without calling home server. If username belongs to a certain group I set Proxy-To-Realm attribute. And here I have an issue.
You can't do EAP on the server, *and* proxy EAP to another server. It's impossible. You *can* proxy the inner-tunnel session. But you also need to do it for all of the packets. You can't do EAP and also proxy, even inside of the inner-tunnel.
If request is peap-mschapv2 and I set proxy_tunneled_request_as_eap = yes, home radius server(freeradius v3.0.x branch) not understand eap message,
Then read *that* debug output to see what's going on. FreeRADIUS *can* proxy inner EAP methods. It *can* also act as a home server for those proxied requests.
if proxy_tunneled_request_as_eap = no home radius server have not problem to understand mschapv2 request. If request eap-ttls, ttls section in eap module config does not have option `proxy_tunneled_request_as_eap` and request on home server will be mschapv2.
That's fine.
And I could not configure proxy server to send request after it look inside eap-tls request. Home server inform what eap message has a wrong state.
Posting debug output would be more useful than posting vague descriptions.
So user request to proxy server is secured with eap, but proxy request to home server is send as simple mschapv2 without eap. And I want to know is it possible to send request as eap to home server, after proxy server handle (look inside) it?
No. You can (a) process EAP at a server, or (b) proxy it. You can't do both. Alan DeKok.