Peap mschapv2 proxy early termination of EAP
Andy Goy
Andy.Goy at kcom.com
Tue Jan 3 17:14:50 CET 2006
> -----Original Message-----
> From: Andy Goy
> Sent: Friday, December 30, 2005 1:34 PM
> To: 'freeradius-users at lists.freeradius.org'
> Subject: Peap mschapv2 proxy early termination of EAP
>
> Hi Alan
Thanks for the reply
Andy Goy <Andy.Goy at kcom.com> wrote:
> I have added 2 lines to the users file
>
> DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL,
> Auth-Type = EAP (line 167)
> DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := wifi
> (line 168)
The first line is unnecessary. Delete it.
Alan DeKok.
Without the first line the request goes straight out as EAP-MSCHAPv2
to the proxy server.
With a lot more digging in the lists, I found a number of comments
regarding my problem
Don't include a realm for the initial (outer) realm and make an the
inner realm that contains the proxy server settings as unique
Write a common detail file and use radrelay to proxy accounting
(also questions asking how to just get the realm variable) to select
the correct proxy server for accounting
This improved things, but the real solution was to include a ream
for the outer pointing to LOCAL, and point the inner to the correct proxy
server
This then provides the %Realm variable to write a detail-combined
file for each realm (using suffix)
Two radrelays send accounting to the correct servers
Thanks for all your comments in the lists
Its a wonderful piece of software/work
The following config works a treat for me, I just need to
purchase/install a real signed certificate now !!
I hope it's correct and maybe helps someone
Regards
Andy
To proxy peap EAP mschap-v2 to a proxy server that only supports
mschapv2 (and send accounting)
Users logging in using username at wifi and username at isp2
users
DEFAULT User-Name =~ "@wifi$", FreeRADIUS-Proxied-To == 127.0.0.1,
Proxy-To-Realm := inner-wifi
Fall-Through = Yes
DEFAULT User-Name =~ "@isp2$", FreeRADIUS-Proxied-To == 127.0.0.1,
Proxy-To-Realm := inner-isp2
Fall-Through = Yes
radiusd.conf
Detail{
detailfile = ${radacctdir}/%{Realm}/detail-combined
detailperm = 0600
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
# Check the Certificate Revocation List
# check_crl = yes
# check
}
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
use_tunneled_reply = yes
copy_request_to_tunnel = yes
}
mschapv2 {
}
}
Proxy.conf
realm wifi {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm inner-wifi {
type = radius
authhost = xxxxxxxxxx:1645
accthost = xxxxxxxxxx:1646
secret = wifisecret
nostrip
}
realm isp2 {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm inner-isp2 {
type = radius
authhost = xxxxxxxx:1812
accthost = xxxxxxxx:1813
secret = isp2secret
nostrip
}
Radrelay command for wifi realm
radrelay -a (your accounting dir/radacct/wifi -d /etc/raddb -r (address of
wifi proxy:port) -s wifisecret detail-combined
Radrelay command for isp2 realm
/radacct/isp2 (address of isp2 proxy:port)
The content of this e-mail and any attachment is private and may be legally
privileged. If you are not
the intended recipient, any use, disclosure, copying or forwarding of this
e-mail and/or its
attachments is unauthorised. If you have received this e-mail in error
please notify the sender by e-
mail and delete this message and any attachments immediately from this
system.
Kingston Communications (HULL) PLC is a public limited company incorporated
in England and Wales
with registration number 02150618 and whose registered office is at 37 Carr
Lane, Hull HU1 3RE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060103/d1e21157/attachment.html>
More information about the Freeradius-Users
mailing list