Thanks! From what I could see in the console logs it certainly did appear that everything was being proxied, as one would hope/expect, but I did wonder if I was missing something. ________________________________ From: Alan DeKok <alan.dekok@inkbridge.io> Sent: Tuesday, October 28, 2025 16:24 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Stephen Mellor <Stephen.Mellor@nhs.scot> Subject: Re: Server verification when proxying [You don't often get email from alan.dekok@inkbridge.io. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On Oct 28, 2025, at 11:51 AM, Stephen Mellor via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Freeradius 3.2, Windows 11 clients, EAP-TLS server verification.
We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines.
OK.
The other organisation say that their users are sometimes prompted to continue with the connection.
What does that mean?
Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers?
If you're proxying packets based on User-Name to another server, then *all* packets for those User-Names will get proxied to the other server. Which means that the entire EAP-TLS session will get proxied to the other server. Your server will not be involved, other than to proxy the packets. So the users will never connect to your server via EAP-TLS. And the users will never see your certificate. i.e. if their users are seeing problems, it's with their systems, not yours.
I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input.
Don't make guesses. Find out what's going on.
What I don't understand is why they say that their users are only prompted 'sometimes', not always.
You'll have to ask them for details. Alan DeKok. -------------------------------------------------------------------------------------------------------------------------------------------------------- This email is intended for the named recipient only. If you have received it by mistake, please (i) contact the sender by email reply; (ii) delete the email from your system; . and (iii) do not copy the email or disclose its contents to anyone. --------------------------------------------------------------------------------------------------------------------------------------------------------