Hello, I've been using FreeRADIUS for years to do PEAP/MSCHAP2 WPA authentications, and it's worked well enough to be a set-it-and-forget-it solution. I'm currently running 1.0.4, but would upgrade if it would help me accomplish the goals in this message. However, changing environments bring me back into the config, and I'm not sure how to do what I want. We've been using ntlm_auth against the AD for our primary authentication, with a fallback to sql and plaintext passwords for local accounts. I'd like to change from maintaining my own sql copy/user database to RADIUS proxying to someone else's server.
From a few trial/error tests, I have two questions about proxying and EAP.
What's the recommended way to configure failover proxying/realms when there's no realm-ish identifier? When "user" logs in, I want them to check against ntlm_auth, and if that fails, resort back to a proxied realm as "user". Right now, I'm doing that via the default config realm suffix {} module, and a realm NULL section in proxy.conf. Is there a better way? Hints or something? Does this involve the configurable_failover documentation? Second question involves proxies and EAP. Since my upstream RADIUS server I'm proxying to doesn't seem to support EAP, is it even possible for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a 'normal' RADIUS packet to relay? Or do I have to get the upstream server to support EAP? It seems like if suffix (realm) module is anywhere in the authorize section, it proxies the entire EAP packet. Can I tell it only to do that at a certain stage in the process? How would you recommend I configure this? Dave