Terminate EAP in FreeRADIUS and do authentication in other RADIUS server.
Hi I want to do 802.1x PEAP authentication on FreeRADIUS. Authentication (username/password checking) needs to be done on another RADIUS server (Safeword server), which is uncapable to handle EAP requests. What I do have working: * PEAP with users in a local MySQL database on the FreeRADIUS server * proxy simple authentication requests to Safeword server I have configured all kinds of options suggested in this list to try to terminate the EAP tunnel in FreeRADIUS, but still EAP messages are sent to the Safeword server: An RADIUS Access-Request is sent, with these attribute value pairs: EAP-Message User-Name NAS-IP-Address Message-Authenticator Proxy-State I should expect a RADIUS Access-Request with these attribute value pairs: User-Name User-Password NAS-IP-Address NAS-Port Proxy-State What am I doing wrong? I have this in my users file: NULL Proxy-To-Realm := LOCAL DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := Safeword I have this in proxy.conf: realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } realm Safeword { type = radius authhost = <ip>:1645 accthost = <ip>:1646 secret = <secret> } Ronald
We need to see the debug (radiusd -X) to see what gets matched etc. Ivan Kalik Kalik Informatika ISP
On Sat, 2007-10-27 at 00:08 +0200, Ruijgrok, Ronald wrote:
Hi
I want to do 802.1x PEAP authentication on FreeRADIUS. Authentication (username/password checking) needs to be done on another RADIUS server (Safeword server), which is uncapable to handle EAP requests.
What I do have working: * PEAP with users in a local MySQL database on the FreeRADIUS server * proxy simple authentication requests to Safeword server
If you are using the default windows supplicant, the inner auth type for PEAP is EAP/MS-CHAP; this is *not* simple username/password. Most likely the rules you have set are matching, but as I say the inner EAP type is EAP/MS-CHAP, so you still see EAP packets at the Safeword server. You can set: peap { proxy_tunneled_request_as_eap = no } ...in eap.conf and then you'll get plain MS-CHAP at the Safeword server.
I have configured all kinds of options suggested in this list to try to terminate the EAP tunnel in FreeRADIUS, but still EAP messages are sent to the Safeword server: An RADIUS Access-Request is sent, with these attribute value pairs: EAP-Message User-Name NAS-IP-Address Message-Authenticator Proxy-State
I should expect a RADIUS Access-Request with these attribute value pairs: User-Name User-Password NAS-IP-Address NAS-Port Proxy-State
You will need to use EAP-TTLS/PAP to get exactly this.
participants (3)
-
Phil Mayers -
Ruijgrok, Ronald -
tnt@kalik.co.yu