Adding proxying to our EAP setup

Alan DeKok aland at
Sun Oct 8 21:26:45 CEST 2006

Dave Mussulman <mussulma at> wrote:
> What's the recommended way to configure failover proxying/realms when
> there's no realm-ish identifier?  When "user" logs in, I want them to
> check against ntlm_auth, and if that fails, resort back to a proxied
> realm as "user".

  That's a little difficult to do, because the "do proxy" code isn't
tied into the "authenticate" section.  Instead, you could look the
user up in LDAP, and if they're not found, set "Proxy-To-Realm :=
foo", where "foo" is a normal realm.

> Right now, I'm doing that via the default config realm suffix {}
> module, and a realm NULL section in proxy.conf.  Is there a better
> way?  Hints or something?  Does this involve the
> configurable_failover documentation?


> Second question involves proxies and EAP.  Since my upstream RADIUS
> server I'm proxying to doesn't seem to support EAP, is it even possible
> for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a
> 'normal' RADIUS packet to relay?

  Yes.  You can proxy the inner EAP-MSCHAPv2 session as MS-CHAPv2.
Read "eap.conf".

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list