freeradius proxy with 802.1x termination
I am attempting to configure freeradius to terminate an 802.1x EAP-TTLS authentication, but forward/proxy the user/pass to another radius server. I can get it to standard proxy, and I can get it to function as a standalone radius server with EAP-TTLS, but can't seem to find any good information on how to do this.... I assume someone has been there done that... any help would be greatly appreciated. Thanks, John
After doing some more digging, I think I am catching onto this... somewhat. It sounds like I need to have the Radius Proxy, authenticate the Outer Identity of the EAP-TTLS session locally, while the Inner Identity is proxied to the Home Radius server. I have setup the Outer identity to be Anonymous@outer which is proxied to LOCAL, while the Inner identity is @inner and proxied to Home Radius. The problem is that when I run radiusd -x, I never see the @outer message, so the @inner is getting forwarded as an EAP, instead of only as a MS-CHAP-V2. Anyone know what I am overlooking? I have a crude understanding of this entire process at best, I know. :) John On Tue, Jan 5, 2010 at 12:08 PM, <jgammons@gmail.com> wrote:
I am attempting to configure freeradius to terminate an 802.1x EAP-TTLS authentication, but forward/proxy the user/pass to another radius server. I can get it to standard proxy, and I can get it to function as a standalone radius server with EAP-TTLS, but can't seem to find any good information on how to do this....
I assume someone has been there done that... any help would be greatly appreciated.
Thanks, John
Hi,
After doing some more digging, I think I am catching onto this... somewhat.
It sounds like I need to have the Radius Proxy, authenticate the Outer Identity of the EAP-TTLS session locally, while the Inner Identity is proxied to the Home Radius server.
I have setup the Outer identity to be Anonymous@outer which is proxied to LOCAL, while the Inner identity is @inner and proxied to Home Radius. The problem is that when I run radiusd -x, I never see the @outer message, so the @inner is getting forwarded as an EAP, instead of only as a MS-CHAP-V2.
Anyone know what I am overlooking? I have a crude understanding of this entire process at best, I know. :)
if you only want to deal with the inner 'natively' then you'd probably want to terminate the EAP on your FreeRADIUS box - ie use inner-tunnel and then proxy the inner stuff from there. (see the big warnings) alan
John Gammons wrote:
After doing some more digging, I think I am catching onto this... somewhat.
It sounds like I need to have the Radius Proxy, authenticate the Outer Identity of the EAP-TTLS session locally, while the Inner Identity is proxied to the Home Radius server.
Yes.
I have setup the Outer identity to be Anonymous@outer which is proxied to LOCAL,
Er... no. Don't proxy it.
while the Inner identity is @inner and proxied to Home Radius. The problem is that when I run radiusd -x, I never see the @outer message, so the @inner is getting forwarded as an EAP, instead of only as a MS-CHAP-V2.
See eap.conf, proxy_tunneled_request_as_eap.
Anyone know what I am overlooking? I have a crude understanding of this entire process at best, I know. :)
See doc/aaa.txt for a simple introduction to the process. Alan DeKok.
Thanks for the tips guys. Been doing some more digging and learning a lot... but maybe I should take a step back here and explain what I am trying to accomplish.... My client "Ubiquity Nanostation" only supports EAP-TTLS MSCHAPv2. My NAS, only supports access-requests using PAP/CHAP passwords in clear-text. I am attempting to setup a "Radius Proxy" that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication. The more I read, the more I am getting the impression that this is not possible. Is that the case? John On Wed, Jan 6, 2010 at 3:43 PM, Alan DeKok <aland@deployingradius.com> wrote:
John Gammons wrote:
After doing some more digging, I think I am catching onto this... somewhat.
It sounds like I need to have the Radius Proxy, authenticate the Outer Identity of the EAP-TTLS session locally, while the Inner Identity is proxied to the Home Radius server.
Yes.
I have setup the Outer identity to be Anonymous@outer which is proxied to LOCAL,
Er... no. Don't proxy it.
while the Inner identity is @inner and proxied to Home Radius. The problem is that when I run radiusd -x, I never see the @outer message, so the @inner is getting forwarded as an EAP, instead of only as a MS-CHAP-V2.
See eap.conf, proxy_tunneled_request_as_eap.
Anyone know what I am overlooking? I have a crude understanding of this entire process at best, I know. :)
See doc/aaa.txt for a simple introduction to the process.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Gammons wrote:
My client "Ubiquity Nanostation" only supports EAP-TTLS MSCHAPv2.
My NAS, only supports access-requests using PAP/CHAP passwords in clear-text.
What does that mean?
I am attempting to setup a "Radius Proxy" that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication.
The NAS is a RADIUS client. It originates Access-Requests. It doesn't receive them, and it definitely doesn't do authentication.
The more I read, the more I am getting the impression that this is not possible. Is that the case?
You can't convert MS-CHAP into PAP or CHAP. And I have no idea what you mean when you say the NAS does authentication. Alan DeKok.
Sorry, by NAS I was referring to the Home Radius Server (guess my terminology was incorrect), but I guess that answers the question anyways. John On Thu, Jan 7, 2010 at 12:55 PM, Alan DeKok <aland@deployingradius.com> wrote:
John Gammons wrote:
My client "Ubiquity Nanostation" only supports EAP-TTLS MSCHAPv2.
My NAS, only supports access-requests using PAP/CHAP passwords in clear-text.
What does that mean?
I am attempting to setup a "Radius Proxy" that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication.
The NAS is a RADIUS client. It originates Access-Requests. It doesn't receive them, and it definitely doesn't do authentication.
The more I read, the more I am getting the impression that this is not possible. Is that the case?
You can't convert MS-CHAP into PAP or CHAP. And I have no idea what you mean when you say the NAS does authentication.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
jgammons@gmail.com -
John Gammons