Fred MAISON wrote:
Yes, JUAC is an inner EAP protocol, inside ttls or peap.
Then you should be able to proxy it by just proxying the inner tunnel data.
Yes, how can I do that ? May I activate proxy-inner-tunnel site along with inner-tunnel site ? EAP-JUAC EAP-Type seems to be 254. May this help along with ignore unknown eap type flag ?
I have proposed to replace SteelBelted by freeradius, and I succeed to pass initial testings, but my current setup was without inner-tunnel modules correctly configured, which makes there is a lot of unneeded ldap access (anonymous identities which does not exist in ldap backend and so on ...) and impossibility to configure seperately outer and inner (when present) author/authent ...
I don't know what you mean by that. It shouldn't be much of a problem to configure it.
I think I did not gave you enough information : * All NAS point to freeradius * All EAP protos without inner tunnel must be authenticated by freeradius using a ldap backend (I found existing devices on able to do EAP-LEAP for example, but may be there is some other insecure eap types)
Uh... don't use LEAP. Use TTLS or PEAP.
I agree with you. And the main goal of the current setup is to catch enough information to force user/workstations migration to TTLS when possible ; some devices will remain on LEAP since they seems to be hardcoded to do LEAP and only LEAP ...
* juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or EAP-PEAP/EAP-JUAC (outer/inner) * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate inner identity against ldap for authorize (ldap radiusgroupname membership) and authenticate (most common seems to be mschapv2 using ntpassword recovered in ldap during authorize). outer identity will not be checked because of encoutered client-side configuration inconsistencies.
So... figure out who's supposed to do EAP-JUAC, Yes, but based on what ? I currently use a real, but this can be changed by end-user to bypass JUAC host checking capabilities ... and proxy them. Authenticate everyone else inside of the tunnel.
Yes, it's what I need, but I don't fully master how to do that. May be the first point related to enable site proxy-inner-tunnel ? If so, it seem to be very unselective (I meen ALL protocols doing inner-tunnel will be proxied to UAC, leaving only EAP-LEAP on freeradius. This could be a good solution for me. Best regards Fred MAISON
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html