Server verification when proxying
Freeradius 3.2, Windows 11 clients, EAP-TLS server verification. We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines. The other organisation say that their users are sometimes prompted to continue with the connection. Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers? I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input. What I don't understand is why they say that their users are only prompted 'sometimes', not always. Apologies for the lack of detail, I'm still trying to work my way through various logs... Steve M -------------------------------------------------------------------------------------------------------------------------------------------------------- This email is intended for the named recipient only. If you have received it by mistake, please (i) contact the sender by email reply; (ii) delete the email from your system; . and (iii) do not copy the email or disclose its contents to anyone. --------------------------------------------------------------------------------------------------------------------------------------------------------
On Oct 28, 2025, at 11:51 AM, Stephen Mellor via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Freeradius 3.2, Windows 11 clients, EAP-TLS server verification.
We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines.
OK.
The other organisation say that their users are sometimes prompted to continue with the connection.
What does that mean?
Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers?
If you're proxying packets based on User-Name to another server, then *all* packets for those User-Names will get proxied to the other server. Which means that the entire EAP-TLS session will get proxied to the other server. Your server will not be involved, other than to proxy the packets. So the users will never connect to your server via EAP-TLS. And the users will never see your certificate. i.e. if their users are seeing problems, it's with their systems, not yours.
I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input.
Don't make guesses. Find out what's going on.
What I don't understand is why they say that their users are only prompted 'sometimes', not always.
You'll have to ask them for details. Alan DeKok.
Thanks! From what I could see in the console logs it certainly did appear that everything was being proxied, as one would hope/expect, but I did wonder if I was missing something. ________________________________ From: Alan DeKok <alan.dekok@inkbridge.io> Sent: Tuesday, October 28, 2025 16:24 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Stephen Mellor <Stephen.Mellor@nhs.scot> Subject: Re: Server verification when proxying [You don't often get email from alan.dekok@inkbridge.io. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On Oct 28, 2025, at 11:51 AM, Stephen Mellor via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Freeradius 3.2, Windows 11 clients, EAP-TLS server verification.
We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines.
OK.
The other organisation say that their users are sometimes prompted to continue with the connection.
What does that mean?
Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers?
If you're proxying packets based on User-Name to another server, then *all* packets for those User-Names will get proxied to the other server. Which means that the entire EAP-TLS session will get proxied to the other server. Your server will not be involved, other than to proxy the packets. So the users will never connect to your server via EAP-TLS. And the users will never see your certificate. i.e. if their users are seeing problems, it's with their systems, not yours.
I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input.
Don't make guesses. Find out what's going on.
What I don't understand is why they say that their users are only prompted 'sometimes', not always.
You'll have to ask them for details. Alan DeKok. -------------------------------------------------------------------------------------------------------------------------------------------------------- This email is intended for the named recipient only. If you have received it by mistake, please (i) contact the sender by email reply; (ii) delete the email from your system; . and (iii) do not copy the email or disclose its contents to anyone. --------------------------------------------------------------------------------------------------------------------------------------------------------
Hi Stephen, It depends on the username that the device(s) provided. As Alan says, your server would not be involved if the packets are proxied to the home organisation. Does the other site have any specifics (i.e. is it always the same user that this happens to, or is it always the same kind of device?). If you have someone at the organisation in question to liaise with, you could try and conditionally debug things by running FreeRADIUS with this command-line (which forces FR to run in the foreground and handling things in a single thread (I think?): Ubuntu/Debian: /usr/sbin/freeradius -fxx -l stdout |tee -a /tmp/your-debug-log.log RedHat/Alma/Centos/Rocky: /usr/sbin/raddb -fxx -l stdout |tee -a /tmp/your-debug-log.log It will probably scroll like crazy, but the 'your-debug-log.log' file will have it all captured and you can start searching for the MAC address of the device in question and see what the difference in packets is (maybe one uses 'host/blah-blah.realm.tld' as a username while another does it like 'blah-blah@realm.tld' and your server handles them differently. :-) Lots of variables there, but looking at the debug log helps a lot if you then need to figure it out :-) Kind regards Stefan Paetow Federated Roaming Technical Specialist eduroam(UK), Jisc email/teams: stefan.paetow@jisc.ac.uk gpg: 0x3FCE5142 For eduroam support, please contact the eduroam team via help@jisc.ac.uk and mark it for eduroam’s attention. I am not available on Mondays and Fridays between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer). Note: I don’t expect a reply outside of your working hours, since I work internationally with colleagues in different nationalities with different religions, customs, and holidays. Reply when it is convenient for you. Jisc is a registered charity (in England and Wales under charity number 1149740; in Scotland under charity number SC053607) and a company limited by guarantee registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800. For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice On 28/10/2025, 17:01, "Freeradius-Users on behalf of Stephen Mellor via Freeradius-Users" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org <mailto:jisc.ac.uk@lists.freeradius.org> on behalf of freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org>> wrote: Thanks! From what I could see in the console logs it certainly did appear that everything was being proxied, as one would hope/expect, but I did wonder if I was missing something. ________________________________ From: Alan DeKok <alan.dekok@inkbridge.io <mailto:alan.dekok@inkbridge.io>> Sent: Tuesday, October 28, 2025 16:24 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org>> Cc: Stephen Mellor <Stephen.Mellor@nhs.scot <mailto:Stephen.Mellor@nhs.scot>> Subject: Re: Server verification when proxying [You don't often get email from alan.dekok@inkbridge.io <mailto:alan.dekok@inkbridge.io>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification <https://aka.ms/LearnAboutSenderIdentification> ] On Oct 28, 2025, at 11:51 AM, Stephen Mellor via Freeradius-Users <freeradius-users@lists.freeradius.org <mailto:freeradius-users@lists.freeradius.org>> wrote:
Freeradius 3.2, Windows 11 clients, EAP-TLS server verification.
We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines.
OK.
The other organisation say that their users are sometimes prompted to continue with the connection.
What does that mean?
Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers?
If you're proxying packets based on User-Name to another server, then *all* packets for those User-Names will get proxied to the other server. Which means that the entire EAP-TLS session will get proxied to the other server. Your server will not be involved, other than to proxy the packets. So the users will never connect to your server via EAP-TLS. And the users will never see your certificate. i.e. if their users are seeing problems, it's with their systems, not yours.
I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input.
Don't make guesses. Find out what's going on.
What I don't understand is why they say that their users are only prompted 'sometimes', not always.
You'll have to ask them for details. Alan DeKok. -------------------------------------------------------------------------------------------------------------------------------------------------------- This email is intended for the named recipient only. If you have received it by mistake, please (i) contact the sender by email reply; (ii) delete the email from your system; . and (iii) do not copy the email or disclose its contents to anyone. -------------------------------------------------------------------------------------------------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
Hi Stephen, Alan is, of course, right: When proxying other people's connections, your RADIUS server assumes an entirely different role than in local operation: It passes foreign messages based on the outer identity -- that's it. You remain 100% agnostic of their EAP variant, or their encryption details. For us university people, this is very common in the eduroam system. To accomodate for "foreign" users (their_realm != our_realm) for roaming, we let them use our RADIUS servers and the RADIUS proxy chain to obtain an Access-Accept or Access-Reject message, then follow this result and, in case of Access-Accept, assign them to some "externally authenticated guests" VLAN. Am 28.10.25 um 17:24 schrieb Alan DeKok via Freeradius-Users:
What I don't understand is why they say that their users are only prompted 'sometimes', not always.
This might be due to differences in client devices. A properly pre-configured client already knows what Root Cert/CA and server name/SAN to verify. Thus, it can tell right away whether to proceed with setup or to reject the server. Many unconfigured clients (e.g. Windows) default to "Trust on first use": When the client a new server, it asks the user whether to accept the server. The decision is stored and continues to work until the server cert expires. (The worst case would be not to validate the server cert at all which used to be huge problem with Android devices over 2 decades). So heterogenously configured clients may result in heterogenous behaviour. Mit freundlichen Grüßen/Kind regards Martin Pauly -- Dr. Martin Pauly Abt. Kommunikation Hochschulrechenzentrum (HRZ) Philipps-Universität Marburg 35032 Marburg T +49 6421 28-23527 E pauly@hrz.uni-marburg.de https://www.uni-marburg.de/de/hrz
participants (4)
-
Alan DeKok -
Martin Pauly -
Stefan Paetow -
Stephen Mellor