Proxying a PEAP request to an IAS server

Dan Newcombe newcombe at mordor.clayton.edu
Tue Nov 8 20:44:35 CET 2005 

Hi all.    I've done my best to try and figure this out myself, but am 
really stuck.
First the basics:  An enterasys C2 switch setup to do 802.1x 
authentication.  This switch points to my freeradius server.   Attached 
to the swich is my XP notebook, which is setup to do 802.1x via PEAP.    
On the back end is a Win2k3 server which is running IAS.
The idea is to have all the network switches send the authentication 
requests to the freeradius server, which will then decide if it needs to 
go to the windows box (for staff) or a different box (for students).  
Also, the Win2k3 IAS server has a limit of 50 clients unless you scale 
up to the advanced server, which I find just sad that they have done this.

Anyway, I have tested from the freeradius box to the IAS box using 
radtest, and everything is working, so I am being seen as a client.
The problem is when I try and have the notebook authenticate.   I see   
rlm_eap: Request is supposed to be proxied to Realm NULL.  Not doing EAP.
in the debug output, which I gather is normal, but somehow part of the 
problem.    Basically, the IAS server seems to ignore whatever is coming 
across from the freeradius box.    My (uneducated) guess is that this is 
because it has the EAP parms in it, but is not eap???    However, a 
normal "clear-text" attempt via radtest works fine.

I have found this post by Alan DeKok - 
http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/26170 which 
sounds very similar to what I am doing

 First, configure the server to terminate the tunnel, and
authenticate the inner session locally.  Once that works, configure
the server to proxy the inner session only.

I guess where I am really lost is how to follow the above suggestion.
This is what it is sending to the IAS box, which is being ignored.
Sending Access-Request of id 1 to 172.25.8.114:1812
       User-Name = "CCSU\\dan"
       Called-Station-Id = "00-11-88-12-6e-70"
       Calling-Station-Id = "00-0f-1f-43-c8-38"
       NAS-Identifier = "00-11-88-12-6e-5d"
       NAS-IP-Address = 172.25.7.11
       NAS-Port = 19
       Framed-MTU = 1500
       NAS-Port-Type = Ethernet
       EAP-Message = 0x0202001201434353555c646e6577636f6d63
       Message-Authenticator = 0x00000000000000000000000000000000
       Proxy-State = 0x3432

Thanks for any help...I'm really stuck on this part!
   -Dan

More information about the Freeradius-Users mailing list