Adding proxying to our EAP setup

Dave Mussulman mussulma at uiuc.edu
Fri Oct 6 23:48:20 CEST 2006


Hello,

I've been using FreeRADIUS for years to do PEAP/MSCHAP2 WPA
authentications, and it's worked well enough to be a
set-it-and-forget-it solution.  I'm currently running 1.0.4, but would
upgrade if it would help me accomplish the goals in this message.

However, changing environments bring me back into the config, and I'm
not sure how to do what I want.  We've been using ntlm_auth against the
AD for our primary authentication, with a fallback to sql and plaintext
passwords for local accounts.  I'd like to change from maintaining my
own sql copy/user database to RADIUS proxying to someone else's server.
>From a few trial/error tests, I have two questions about proxying and
EAP.

What's the recommended way to configure failover proxying/realms when
there's no realm-ish identifier?  When "user" logs in, I want them to
check against ntlm_auth, and if that fails, resort back to a proxied
realm as "user".  Right now, I'm doing that via the default config realm
suffix {} module, and a realm NULL section in proxy.conf.  Is there a
better way?  Hints or something?  Does this involve the
configurable_failover documentation?

Second question involves proxies and EAP.  Since my upstream RADIUS
server I'm proxying to doesn't seem to support EAP, is it even possible
for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a
'normal' RADIUS packet to relay?  Or do I have to get the upstream
server to support EAP?  It seems like if suffix (realm) module is
anywhere in the authorize section, it proxies the entire EAP packet.
Can I tell it only to do that at a certain stage in the process?

How would you recommend I configure this?

Dave



More information about the Freeradius-Users mailing list