Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy (forward) request as PAP
Hi all (and really thanks to Alan DeKok), I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius and IAS. A software I´m using is offering two factor authentication and they got their own Radius who only supports PAP. Is it possible to terminate the client EAP connection at the FreeRadius proxy and forward the request as a PAP to the software vendors own Radius. In that case it works, briefly how do I do? Thanks all! (Im going to buy Alan DeKok coming FreeRadius book ;-) Sincerely Joakim
Joakim You could certainly do this with EAP-TTLS/PAP. I know because I've done it myself in a previous job. It's quite simple really. You have the outer authentication using one realm (possibly the null realm and using the name 'anonymous'). In the inner authentication, you use another realm that is proxied by the FreeRADIUS server to the remote server supporting PAP. I've done exactly this with CryptoCARD servers and with Vasco servers. You may need to strip the decoration from the username before forwarding the PAP authentication request to the back end server. e.g. guyd@foo.com might need to be reduced to just guyd before that username would be correctly authenticated by the backend server. Rgds, Guy On 31/01/2008, Joakim Lindgren <joakim.lindgren@gmail.com> wrote:
Hi all (and really thanks to Alan DeKok),
I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius and IAS. A software I´m using is offering two factor authentication and they got their own Radius who only supports PAP.
Is it possible to terminate the client EAP connection at the FreeRadius proxy and forward the request as a PAP to the software vendors own Radius.
In that case it works, briefly how do I do?
Thanks all! (Im going to buy Alan DeKok coming FreeRadius book ;-)
Sincerely Joakim
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Did you search the list for answers first. You had an example yesterday. This was about proxying mschap, but the users file entry is the same. Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, "Joakim Lindgren" <joakim.lindgren@gmail.com> piše:
Hi all (and really thanks to Alan DeKok),
I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius and IAS. A software I´m using is offering two factor authentication and they got their own Radius who only supports PAP.
Is it possible to terminate the client EAP connection at the FreeRadius proxy and forward the request as a PAP to the software vendors own Radius.
In that case it works, briefly how do I do?
Thanks all! (Im going to buy Alan DeKok coming FreeRadius book ;-)
Sincerely Joakim
participants (3)
-
Guy Davies -
Ivan Kalik -
Joakim Lindgren