post-auth for proxied peap inner
p.mayers at imperial.ac.uk
Sat Oct 26 20:28:19 CEST 2013
On 25/10/2013 18:18, Alan DeKok wrote:
> Phil Mayers wrote:
>> We have a need to run the post-auth section on proxied peap/ttls inner
>> (proxied as EAP - none of the crazy packet mangling hacks). 2.x doesn't
>> do this, I haven't checked 3.x but assume it's unchanged?
> Actually, 2.2.1 should do this.
>> I've tried a few crazy hacks in the source but it all explodes; does
>> anyone have any insight into what needs doing?
> Magic. It's always magic.
I'm having a *really* hard time understanding how this works at all; I
don't get how the code in peap.c:~1126 actually causes a proxy request
to be sent; ultimately it's all called via rad_authenticate, which only
seems to check/process request->proxy after authorize, when rlm_eap does
all it's work in authenticate.
Put another way - the original PEAP request containing the PEAP inner
comes into rad_authenticate via listen.c - I don't see how, once TLS is
decoded and peap.c has run the fake request via the inner tunnel server,
how the proxy packet gets sent and replied to.
(The reason for wanting to know this is to understand where to put the
processing code so that the "fake" can be pushed through post-auth
correctly without breaking "proxy as non-EAP" workaround)
More information about the Freeradius-Devel