-----Original Message----- From: Andy Goy Sent: Friday, December 30, 2005 1:34 PM To: 'freeradius-users@lists.freeradius.org' Subject: Peap mschapv2 proxy early termination of EAP
Hi Alan Thanks for the reply
Andy Goy <Andy.Goy@kcom.com> wrote:
I have added 2 lines to the users file
DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL, Auth-Type = EAP (line 167) DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := wifi (line 168)
The first line is unnecessary. Delete it. Alan DeKok. Without the first line the request goes straight out as EAP-MSCHAPv2 to the proxy server. With a lot more digging in the lists, I found a number of comments regarding my problem Don't include a realm for the initial (outer) realm and make an the inner realm that contains the proxy server settings as unique Write a common detail file and use radrelay to proxy accounting (also questions asking how to just get the realm variable) to select the correct proxy server for accounting This improved things, but the real solution was to include a ream for the outer pointing to LOCAL, and point the inner to the correct proxy server This then provides the %Realm variable to write a detail-combined file for each realm (using suffix) Two radrelays send accounting to the correct servers Thanks for all your comments in the lists Its a wonderful piece of software/work The following config works a treat for me, I just need to purchase/install a real signed certificate now !! I hope it's correct and maybe helps someone Regards Andy To proxy peap EAP mschap-v2 to a proxy server that only supports mschapv2 (and send accounting) Users logging in using username@wifi and username@isp2 users DEFAULT User-Name =~ "@wifi$", FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := inner-wifi Fall-Through = Yes DEFAULT User-Name =~ "@isp2$", FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := inner-isp2 Fall-Through = Yes radiusd.conf Detail{ detailfile = ${radacctdir}/%{Realm}/detail-combined detailperm = 0600 } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random # Check the Certificate Revocation List # check_crl = yes # check } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no use_tunneled_reply = yes copy_request_to_tunnel = yes } mschapv2 { } } Proxy.conf realm wifi { type = radius authhost = LOCAL accthost = LOCAL nostrip } realm inner-wifi { type = radius authhost = xxxxxxxxxx:1645 accthost = xxxxxxxxxx:1646 secret = wifisecret nostrip } realm isp2 { type = radius authhost = LOCAL accthost = LOCAL nostrip } realm inner-isp2 { type = radius authhost = xxxxxxxx:1812 accthost = xxxxxxxx:1813 secret = isp2secret nostrip } Radrelay command for wifi realm radrelay -a (your accounting dir/radacct/wifi -d /etc/raddb -r (address of wifi proxy:port) -s wifisecret detail-combined Radrelay command for isp2 realm /radacct/isp2 (address of isp2 proxy:port) The content of this e-mail and any attachment is private and may be legally privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this e-mail and/or its attachments is unauthorised. If you have received this e-mail in error please notify the sender by e- mail and delete this message and any attachments immediately from this system. Kingston Communications (HULL) PLC is a public limited company incorporated in England and Wales with registration number 02150618 and whose registered office is at 37 Carr Lane, Hull HU1 3RE