Re: Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Ok, thanks for pointing this out. I suppose I will have to either enable EAP on the radius for the EAP request to be proxied or have MSCHAP configured on it. Though using EAP will means I need to recompile the radius as I'm using the source packages. The radius that I need to proxy to runs 1.1.7 with LDAP. Do you have any advise on which will be a better approach? Thanks/Regards, Ryan
You can't do that. Inner tunnel for PEAP is EAP-MSCHAPv2 and you can proxy that. You can't transform that into PAP. If you have a look at the thread you have quoted you will see that his users were using EAP-TTLS PAP not PEAP.
Ivan Kalik Kalik Informatika ISP
Dana 22/3/2008, "Ryan" <majereryan@gmail.com> pi?e:
Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself.
Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly?
Thanks/Regards, Ryan
Ryan wrote:
Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works?
PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication "outside" of the tunnel, and authentication "inside" of the tunnel as independent authentications.
Do you have *specific* questions? Asking "how does it work" is rather open-ended.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I enabled MS-CHAP on the radius whereby the request is to be proxied to. Using the configuration mentioned in http://lists.freeradius.org/pipermail/freeradius-users/2008-February/069292.... as a guide, I was able to configure the radius to proxy the request as plain MS-CHAP however encounter some problems when the response is returned. Will address this in a separate message as the subject is no longer appropriate. Regards, Ryan On Mon, Mar 24, 2008 at 10:30 AM, Ryan <majereryan@gmail.com> wrote:
Ok, thanks for pointing this out.
I suppose I will have to either enable EAP on the radius for the EAP request to be proxied or have MSCHAP configured on it. Though using EAP will means I need to recompile the radius as I'm using the source packages. The radius that I need to proxy to runs 1.1.7 with LDAP.
Do you have any advise on which will be a better approach?
Thanks/Regards, Ryan
You can't do that. Inner tunnel for PEAP is EAP-MSCHAPv2 and you can proxy that. You can't transform that into PAP. If you have a look at the thread you have quoted you will see that his users were using EAP-TTLS PAP not PEAP.
Ivan Kalik Kalik Informatika ISP
Dana 22/3/2008, "Ryan" <majereryan@gmail.com> pi?e:
Sorry for being not specific enough. Was thinking of understanding how it works and then figure out the configuration myself.
Basically I need to terminate a request that uses EAP/PEAP on the main radius and proxy the request to an inner radius server for authentication using PAP. What will I need to configure in order to get it forwarded correctly?
Thanks/Regards, Ryan
Ryan wrote:
Just read through some of the messages available on proxy tunneling. I'm currently using 2.0.2 and read through the examples on inner tunnel which seems to be able to do what I need. Can someone help by providing more details on how it actually works?
PEAP authentication is really SSL + authentication inside of the SSL tunnel. So... the server handles authentication "outside" of the tunnel, and authentication "inside" of the tunnel as independent authentications.
Do you have *specific* questions? Asking "how does it work" is rather open-ended.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (1)
-
Ryan