Proxying a PEAP request to an IAS server

Dan Newcombe newcombe at mordor.clayton.edu
Tue Nov 8 22:40:48 CET 2005 

Okay...one step closer.  I had been using a debian version of freeradius 
1.0.2 and hacked in the eap-tls.  I have since followed Ben Kenobi's 
advice and "use the source".  It appears to be sending packets to the 
IAS box now, and I can cut the stuff out and use radclient and have IAS 
respond, however it doesn't seem to be responding to the server 
process.   One step closer - miles away!

:)

Dan Newcombe wrote:

> Hi all.    I've done my best to try and figure this out myself, but am 
> really stuck.
> First the basics:  An enterasys C2 switch setup to do 802.1x 
> authentication.  This switch points to my freeradius server.   
> Attached to the swich is my XP notebook, which is setup to do 802.1x 
> via PEAP.    On the back end is a Win2k3 server which is running IAS.
> The idea is to have all the network switches send the authentication 
> requests to the freeradius server, which will then decide if it needs 
> to go to the windows box (for staff) or a different box (for 
> students).  Also, the Win2k3 IAS server has a limit of 50 clients 
> unless you scale up to the advanced server, which I find just sad that 
> they have done this.
>
> Anyway, I have tested from the freeradius box to the IAS box using 
> radtest, and everything is working, so I am being seen as a client.
> The problem is when I try and have the notebook authenticate.   I 
> see   rlm_eap: Request is supposed to be proxied to Realm NULL.  Not 
> doing EAP.
> in the debug output, which I gather is normal, but somehow part of the 
> problem.    Basically, the IAS server seems to ignore whatever is 
> coming across from the freeradius box.    My (uneducated) guess is 
> that this is because it has the EAP parms in it, but is not eap???    
> However, a normal "clear-text" attempt via radtest works fine.
>
> I have found this post by Alan DeKok - 
> http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/26170 which 
> sounds very similar to what I am doing
>
> First, configure the server to terminate the tunnel, and
> authenticate the inner session locally.  Once that works, configure
> the server to proxy the inner session only.
>
> I guess where I am really lost is how to follow the above suggestion.
> This is what it is sending to the IAS box, which is being ignored.
> Sending Access-Request of id 1 to 172.25.8.114:1812
>       User-Name = "CCSU\\dan"
>       Called-Station-Id = "00-11-88-12-6e-70"
>       Calling-Station-Id = "00-0f-1f-43-c8-38"
>       NAS-Identifier = "00-11-88-12-6e-5d"
>       NAS-IP-Address = 172.25.7.11
>       NAS-Port = 19
>       Framed-MTU = 1500
>       NAS-Port-Type = Ethernet
>       EAP-Message = 0x0202001201434353555c646e6577636f6d63
>       Message-Authenticator = 0x00000000000000000000000000000000
>       Proxy-State = 0x3432
>
> Thanks for any help...I'm really stuck on this part!
>   -Dan
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list