I would like to proxy leap authentication requests to a non-leap compatible radius server. This is a feature of the Cisco ACS product that I was hoping FreeRadius would be able to do. I have eap\leap working with my lab wireless access point using the local users file. I have a realm setup and can proxy pap, chap , and mschap successfully to a remote radius server. What I would like to do is have FreeRadius perform the eap\leap authentication request locally, and proxy a chap or mschap(v2) request with username and password ( only ) to a remote ( non-eap ) radius server. Questions: 1) Does the current FreeRadius download have this capability and I just need to configure it correctly? 2) Has anyone done eap\leap proxy this way with any success ( or not ) with FreeRadius? Do you have a code hack you can share? 3) [to the developers] In the processing eap\leap authentication request within the code does the username and password get decoded to plain text in a variable if authenticated to the local users file? C file and line number, please. If I am not able to get this working, I am looking at having to purchase 10 copies of Cisco's ACS at $4K each. I would like to avoid the cost and provide wireless authentication at each of my facilities. Any input is welcome, thanks in advance.... ----------------------------------------------------- Chris Arnold Network Manager & Systems Architect ----------------------------------------------------- This message (including any attachments) contains confidential and/or proprietary information intended only for the addressee. Any unauthorized disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited and may constitute a violation of law. If you are not the intended recipient, please notify the sender immediately by responding to this e-mail, and delete the message from your system. If you have any questions about this e-mail please notify the sender immediately. Ce message (ainsi que les eventuelles pieces jointes) est exclusivement adresse au destinataire et contient des informations confidentielles. La copie, la communication ou la distribution du contenu de ce message sans l'accord prealable de l'expediteur sont strictement interdits et peuvent constituer un delit. Si vous n'etes pas destinataire de ce message, merci de le detruire et d'avertir l'expediteur. Si vous avez des questions se rapportant a ce courrier electronique, merci de bien vouloir notifier l'expediteur immediatement.
carnold@dancon.com wrote:
1) Does the current FreeRadius download have this capability and I just need to configure it correctly?
No.
3) [to the developers] In the processing eap\leap authentication request within the code does the username and password get decoded to plain text in a variable if authenticated to the local users file?
No.
C file and line number, please.
grep?
If I am not able to get this working, I am looking at having to purchase 10 copies of Cisco's ACS at $4K each. I would like to avoid the cost and provide wireless authentication at each of my facilities.
Geez, for that, hire someone to add the functionality to FreeRADIUS. For $40K, I'm sure you'll find someone to do the job. :) You'll need to supply packet traces from ACS, with both the input LEAP packets & output MSCHAP packets, including RADIUS shared secrets & user passwords. After that, the implementation should be relatively trivial in FreeRADIUS. The EAP-MSCHAPv2 module in FreeRADIUS already does something similar, so precedent is there. And bugzilla has patches to proxy EAP-MD5 as CHAP, too. Alan DeKok.
participants (2)
-
Alan DeKok -
carnold@dancon.com