Proxy PEAP to one Radius Server - EAP-TLS to another Radius Server
Hi All I would like to anwser PEAP radius requests on the receiving radius server and proxy EAP-TLS radius requests to another home server via the proxy function. Is this possible with unlang? Thanks Basile
On Aug 13, 2015, at 1:43 PM, Basile Bluntschli <basile.bluntschli@gmail.com> wrote:
I would like to anwser PEAP radius requests on the receiving radius server and proxy EAP-TLS radius requests to another home server via the proxy function. Is this possible with unlang?
No. It's impossible. Alan DeKok.
Hi Alan thanks for your fast reply! So impossible means, it is not possible with EAP? (nothing to do with unlang?) Because only at the inner tunnel it is visible what EAP type it is? Thanks Basile 2015-08-13 14:02 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Aug 13, 2015, at 1:43 PM, Basile Bluntschli < basile.bluntschli@gmail.com> wrote:
I would like to anwser PEAP radius requests on the receiving radius server and proxy EAP-TLS radius requests to another home server via the proxy function. Is this possible with unlang?
No. It's impossible.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 13, 2015, at 2:25 PM, Basile Bluntschli <basile.bluntschli@gmail.com> wrote:
thanks for your fast reply! So impossible means, it is not possible with EAP? (nothing to do with unlang?)
It's impossible because it was designed to be impossible, by the people who created EAP. You can't change one EAP type into another. Alan DeKok.
Hi Alan maybe I was not clear with my initial question. My switch will have the radius server A configured. All radius requests will be sent to the radius server A. If supplicant X wants to authenticate with PEAP, radius server A would handle the full request. If Supplicant Z wants to authenticate with EAP-TLS radius server A would proxy the whole request to Radius Server B. Is there a way to do this? Thanks Basile 2015-08-13 14:34 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Aug 13, 2015, at 2:25 PM, Basile Bluntschli < basile.bluntschli@gmail.com> wrote:
thanks for your fast reply! So impossible means, it is not possible with EAP? (nothing to do with unlang?)
It's impossible because it was designed to be impossible, by the people who created EAP. You can't change one EAP type into another.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Aug 13, 2015 at 03:05:04PM +0200, Basile Bluntschli wrote:
My switch will have the radius server A configured. All radius requests will be sent to the radius server A. If supplicant X wants to authenticate with PEAP, radius server A would handle the full request. If Supplicant Z wants to authenticate with EAP-TLS radius server A would proxy the whole request to Radius Server B.
Is there a way to do this?
First thing that comes to mind is to look at the EAP type in the incoming EAP-Message, and update proxy-to-realm if it's EAP-TLS. Something like this: if (EAP-Message =~ /^0x........0d/) { update control { Proxy-To-Realm := 'remote_realm' } else { eap } but there may be cleaner ways to do it. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 13/08/15 14:13, Matthew Newton wrote:
On Thu, Aug 13, 2015 at 03:05:04PM +0200, Basile Bluntschli wrote:
My switch will have the radius server A configured. All radius requests will be sent to the radius server A. If supplicant X wants to authenticate with PEAP, radius server A would handle the full request. If Supplicant Z wants to authenticate with EAP-TLS radius server A would proxy the whole request to Radius Server B.
Is there a way to do this?
First thing that comes to mind is to look at the EAP type in the incoming EAP-Message, and update proxy-to-realm if it's EAP-TLS. Something like this:
if (EAP-Message =~ /^0x........0d/) { update control { Proxy-To-Realm := 'remote_realm' } else { eap }
but there may be cleaner ways to do it.
I wondered about that; what about the EAP-Identity packet?
On Thu, Aug 13, 2015 at 02:18:19PM +0100, Phil Mayers wrote:
if (EAP-Message =~ /^0x........0d/) {
I wondered about that; what about the EAP-Identity packet?
Hmm, good point, I forgot about that. Maybe it won't work that easily, then. I can think of another way of doing it, but it's not nice. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Aug 13, 2015, at 9:28 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Aug 13, 2015 at 02:18:19PM +0100, Phil Mayers wrote:
if (EAP-Message =~ /^0x........0d/) {
I wondered about that; what about the EAP-Identity packet?
Hmm, good point, I forgot about that. Maybe it won't work that easily, then.
I can think of another way of doing it, but it's not nice.
Is an Identity-Response definitely required to start PEAP/EAP-TLS sessions? Doesn't seem like there's a good reason for that limitation if so. Even if a RFC required it, there's still no good reason to enforce it that I can see? -Arran
On 13/08/15 14:53, Arran Cudbard-Bell wrote:
Is an Identity-Response definitely required to start PEAP/EAP-TLS sessions? Doesn't seem like there's a good reason for that limitation if so. Even if a RFC required it, there's still no good reason to enforce it that I can see?
It's not a requirement I think, and IIRC FreeRADIUS contains code to handle this case. But maybe other servers don't; whether this is a problem will depend on behaviour of the upstream I guess.
Hi Matthew thanks for your anwser would you mind sharing what "not nice" solution may could work? Thanks Basile 2015-08-13 15:28 GMT+02:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Thu, Aug 13, 2015 at 02:18:19PM +0100, Phil Mayers wrote:
if (EAP-Message =~ /^0x........0d/) {
I wondered about that; what about the EAP-Identity packet?
Hmm, good point, I forgot about that. Maybe it won't work that easily, then.
I can think of another way of doing it, but it's not nice.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dodgy hacks that might work on the current or particular radius server , with some but not all clients supported and depend on your environment ;) alan
On Fri, Aug 14, 2015 at 09:33:08AM +0200, Basile Bluntschli wrote:
thanks for your anwser would you mind sharing what "not nice" solution may could work?
Something along the lines of look up tuple(calling-station-id, user-name) in cache/db if found { proxy } else { eap if (eap-type == "EAP-TLS" (or EAP-Message regex etc)) { add tuple(calling-station-id, user-name) to cache/db reject } } I'm sure you really don't want to do this. But you did ask. I would a) work out some other way to distinguish between the different types of clients; or b) do it all on one RADIUS server. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Matthew thanks, I try to go route a) then. If I find a way of doing so I would post it here. Thanks Basile 2015-08-14 10:46 GMT+02:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Fri, Aug 14, 2015 at 09:33:08AM +0200, Basile Bluntschli wrote:
thanks for your anwser would you mind sharing what "not nice" solution may could work?
Something along the lines of
look up tuple(calling-station-id, user-name) in cache/db if found { proxy } else { eap if (eap-type == "EAP-TLS" (or EAP-Message regex etc)) { add tuple(calling-station-id, user-name) to cache/db reject } }
I'm sure you really don't want to do this. But you did ask.
I would
a) work out some other way to distinguish between the different types of clients; or
b) do it all on one RADIUS server.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 13, 2015, at 3:18 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I wondered about that; what about the EAP-Identity packet?
RFC 3579 (EAP over RADIUS) says: The authenticating peer and the NAS begin the EAP conversation by negotiating use of EAP. Once EAP has been negotiated, the NAS SHOULD send an initial EAP-Request message to the authenticating peer. This will typically be an EAP-Request/Identity, although it could be an EAP-Request for an authentication method (Types 4 and greater). However, RFC 2284 (EAP) says: Typically, the authenticator will send an initial Identity Request followed by one or more Requests for authentication information. However, an initial Identity Request is not required, and MAY be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.). which likely means that *all* EAP sessions for 802.1X will start with Identity, and never just start an EAP type. Alan DeKok.
On 13 Aug 2015, at 08:25, Basile Bluntschli <basile.bluntschli@gmail.com> wrote:
Hi Alan
thanks for your fast reply! So impossible means, it is not possible with EAP? (nothing to do with unlang?)
It's not possible, nothing to do with unlang. You can however, proxy MSCHAPv2 from the PEAP inner tunnel. So if you want two RADIUS servers handling different parts of the authentication, that would be how you'd do it in the case of PEAP. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (6)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Basile Bluntschli -
Matthew Newton -
Phil Mayers