On Nov 2, 2016, at 5:38 PM, Davide Belloni <davide.belloni@gmail.com> wrote:
for a SSID wireless network I'm trying, without success, to proxy EAP-TLS auth (based on certificate's CN) to specific Windows RADIUS that are members of two domain on AD.
As always, read the debug log. You will see the EAP session being started on FreeRADIUS, and *then* after a few packets, the client certificate shows up. i.e. you can't proxy an entire EAP session based on a client certificate that shows up in packet 4. You *can* proxy based on User-Name. But that's (mostly) independent of the client certificate.
For example what I want to obtain is that:
- EAP-TLS of client A, member of domain X, is proxied by Freeradius to RADIUS/AD of that domain - EAP-TLS of client B, member of domain Y, is proxied by Freeradius to RADIUS/AD of that domain - EAP-TLS of client C, member of any domain, is managed by file user
"client" or User-Name? It matters.
I've obtained a similar setup for EAP-TTLS using this configuration in inner-tunnel authorize section:
EAP-TLS mostly don't have an inner-tunnel authorize section. Also, if you're proxying EAP-TLS, you need to proxy the outer session, not the inner one.
if ("%{Called-Station-Id}" =~ /:SSID_S$/ ) { if ("%{User-Name}" =~ /@domainx.com$/ || "%{User-Name}" =~ /\. domainx.com$/ || "%{User-Name}" =~ /^DOMAINX\\\\/ ) { update control { Proxy-To-Realm := 'AD_DOMAINX' } } }
Which proxies the *inner* authentication to the other server. It doesn't proxy the EAP-TTLS exchange. And you can't proxy based on EAP type (TLS or TTLS), because that comes in the second packet of the EAP exchange.
Is it possible to obtain this setup with EAP-TLS? How?
Maybe. The simplest thing by far is to just proxy domain A to server A, and domain B to server B. That's what the "realms" configuration does. Alan DeKok.