On 21-07-14 11:10, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Has anyone ever tried something like this and got the setup working?
dont mess with the packets - dont just proxy the inner tunnel to the NPS, send all valid stuff at the outer layer to the NPS box for it to deal with (ie make it the end EAP termination tunnel). you know that nice setting (check cryptobinding) you see on the client? thats designed to check that the EAP termination is actually the same server that unwrapped the TLS in the first instance. use unlang to define the proxy group/realm - proxy stuff to the NPS that matches your desire.
I don't really see the relevance of cryptobinding here. The EAP tunnel is unpacked, and only the contents of it (slightly modified) is sent to a backend. FreeRADIUS is the EAP terminator and the server that started with the TLS unwrapping. This scenario shouldn't be too weird, or else the virtual server proxy-inner-tunnel would not exist in the distribution. From an EAP point of view, this is not so different from a setup where the users would be defined in the users-file on the FreeRADIUS server. -- Herwin Weststrate