Fred MAISON wrote:
Yes, JUAC is an inner EAP protocol, inside ttls or peap.
Then you should be able to proxy it by just proxying the inner tunnel data.
I have proposed to replace SteelBelted by freeradius, and I succeed to pass initial testings, but my current setup was without inner-tunnel modules correctly configured, which makes there is a lot of unneeded ldap access (anonymous identities which does not exist in ldap backend and so on ...) and impossibility to configure seperately outer and inner (when present) author/authent ...
I don't know what you mean by that. It shouldn't be much of a problem to configure it.
I think I did not gave you enough information : * All NAS point to freeradius * All EAP protos without inner tunnel must be authenticated by freeradius using a ldap backend (I found existing devices on able to do EAP-LEAP for example, but may be there is some other insecure eap types)
Uh... don't use LEAP. Use TTLS or PEAP.
* juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or EAP-PEAP/EAP-JUAC (outer/inner) * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate inner identity against ldap for authorize (ldap radiusgroupname membership) and authenticate (most common seems to be mschapv2 using ntpassword recovered in ldap during authorize). outer identity will not be checked because of encoutered client-side configuration inconsistencies.
So... figure out who's supposed to do EAP-JUAC, and proxy them. Authenticate everyone else inside of the tunnel. Alan DeKok.