Terminate TLS and proxy PEAP
Hi At the moment I use FreeRADIUS to proxy eap peap mschapv2 request to a RADIUS server for authentication. The connecting machine submits in addition to the authentication information, some information about it's health state encrypted in the PEAP packets. Is there a possibility to decrypt the packets on the FreeRADIUS Proxy, to get the health state, and forward the PEAP packets for authentication to the RADIUS server. Or in other words is there a possibility to determine the TLS-Connection on the FreeRADIUS proxy and to forward the PEAP packets to the RADIUS Server and how the FreeRADIUS proxy has to be configured? Your help would be much appreciated, Thanks Fuki -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12649999 Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
Hi
At the moment I use FreeRADIUS to proxy eap peap mschapv2 request to a RADIUS server for authentication. The connecting machine submits in addition to the authentication information, some information about it's health state encrypted in the PEAP packets.
Is there a possibility to decrypt the packets on the FreeRADIUS Proxy, to get the health state, and forward the PEAP packets for authentication to the RADIUS server. Or in other words is there a possibility to determine the TLS-Connection on the FreeRADIUS proxy and to forward the PEAP packets to the RADIUS Server and how the FreeRADIUS proxy has to be configured?
You can certainly terminate the PEAP and still proxy the inner EAP-MSCHAP to another radius server; however as far as I am aware, FreeRadius doesn't yet have support for the various health state attributes, or for that matter >1 set of data inside the PEAP tunnel. In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate.
Phil Mayers wrote:
In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate.
I'm trying to get PEAPv2 patches from someone who claims they had it working a few years ago. Alan DeKok.
On Thu, 2007-09-13 at 11:01 +0200, Alan DeKok wrote:
Phil Mayers wrote:
In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate.
I'm trying to get PEAPv2 patches from someone who claims they had it working a few years ago.
Related; how would you envisage FreeRadius "presenting" the presence of
1 authentication exchange inside the tunnel? Presumably the same issue exists with the EAP-TNC inside TTLS method.
Phil Mayers wrote:
Related; how would you envisage FreeRadius "presenting" the presence of
1 authentication exchange inside the tunnel? Presumably the same issue exists with the EAP-TNC inside TTLS method.
Code has to be written to support it. Given the virtual server stuff in 2.x, this becomes a *lot* easier. Alan DeKok.
Phil Mayers wrote:
On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
You can certainly terminate the PEAP and still proxy the inner EAP-MSCHAP to another radius server; however as far as I am aware, FreeRadius doesn't yet have support for the various health state attributes, or for that matter >1 set of data inside the PEAP tunnel.
In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate.
Yes I'm talking about the Vista build-in health check packets. I used a packet sniffer to analyze the submitted packets and compared them with the PEAPv2 specification (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, 2.1.4. Version Negotiation). According the specification PEAP v0 is used by Vista, so it should be possible to use FreeRadius as proxy to decrypt the packages, to analyze the health state (has to be implemented) and to proxy the inner EAP-MSCHAP to another radius server? -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12651948 Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, 2007-09-13 at 02:56 -0700, fuki wrote:
Phil Mayers wrote:
On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
You can certainly terminate the PEAP and still proxy the inner EAP-MSCHAP to another radius server; however as far as I am aware, FreeRadius doesn't yet have support for the various health state attributes, or for that matter >1 set of data inside the PEAP tunnel.
In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate.
Yes I'm talking about the Vista build-in health check packets. I used a packet sniffer to analyze the submitted packets and compared them with the PEAPv2 specification (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, 2.1.4. Version Negotiation). According the specification PEAP v0 is used by Vista, so it should be possible to use FreeRadius as proxy to decrypt the packages, to analyze the health state (has to be implemented) and to proxy the inner EAP-MSCHAP to another radius server?
Provided FreeRadius can parse the PEAP contents (which it can't) then yes, sending the inner EAP-MSCHAP to another server is easy: DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo"
Phil Mayers wrote:
On Thu, 2007-09-13 at 02:56 -0700, fuki wrote:
Phil Mayers wrote:
On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
You can certainly terminate the PEAP and still proxy the inner EAP-MSCHAP to another radius server; however as far as I am aware, FreeRadius doesn't yet have support for the various health state attributes, or for that matter >1 set of data inside the PEAP tunnel.
In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate.
Yes I'm talking about the Vista build-in health check packets. I used a packet sniffer to analyze the submitted packets and compared them with the PEAPv2 specification (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, 2.1.4. Version Negotiation). According the specification PEAP v0 is used by Vista, so it should be possible to use FreeRadius as proxy to decrypt the packages, to analyze the health state (has to be implemented) and to proxy the inner EAP-MSCHAP to another radius server?
Provided FreeRadius can parse the PEAP contents (which it can't) then yes, sending the inner EAP-MSCHAP to another server is easy:
DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Based on http://lists.freeradius.org/pipermail/freeradius-users/2005-March/042098.htm... I got the following idea (it's suggested to work with FreeRadius): RADIUS Client <- PEAP (eap-mschapv2) -> FreeRadius Proxy (tsl termination and conversion) <- mschapv2 -> RADIUS Server Are there any comments for this recommendation. If it works, does somebody now how to configure the FreeRadius proxy? -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12653324 Sent from the FreeRadius - User mailing list archive at Nabble.com.
Try reading the post you have replied to. Ivan Kalik Kalik Informatika ISP Dana 13/9/2007, "fuki" <lukas.akermann@unifr.ch> piše:
Phil Mayers wrote:
On Thu, 2007-09-13 at 02:56 -0700, fuki wrote:
Phil Mayers wrote:
On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
You can certainly terminate the PEAP and still proxy the inner EAP-MSCHAP to another radius server; however as far as I am aware, FreeRadius doesn't yet have support for the various health state attributes, or for that matter >1 set of data inside the PEAP tunnel.
In particular if you are talking about the Vista built-in health check packets, that uses PEAPv2 which FreeRadius doesn't support, and you won't be able to terminate.
Yes I'm talking about the Vista build-in health check packets. I used a packet sniffer to analyze the submitted packets and compared them with the PEAPv2 specification (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, 2.1.4. Version Negotiation). According the specification PEAP v0 is used by Vista, so it should be possible to use FreeRadius as proxy to decrypt the packages, to analyze the health state (has to be implemented) and to proxy the inner EAP-MSCHAP to another radius server?
Provided FreeRadius can parse the PEAP contents (which it can't) then yes, sending the inner EAP-MSCHAP to another server is easy:
DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Based on http://lists.freeradius.org/pipermail/freeradius-users/2005-March/042098.htm... I got the following idea (it's suggested to work with FreeRadius):
RADIUS Client <- PEAP (eap-mschapv2) -> FreeRadius Proxy (tsl termination and conversion) <- mschapv2 -> RADIUS Server
Are there any comments for this recommendation. If it works, does somebody now how to configure the FreeRadius proxy? -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12653324 Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fuki wrote:
... According the specification PEAP v0 is used by Vista, so it should be possible to use FreeRadius as proxy to decrypt the packages, to analyze the health state (has to be implemented) and to proxy the inner EAP-MSCHAP to another radius server?
Yes. But I think some code may be needed. Alan DeKok.
participants (4)
-
Alan DeKok -
fuki -
Phil Mayers -
tnt@kalik.co.yu