Adding proxying to our EAP setup
Alan DeKok
aland at deployingradius.com
Sun Oct 8 21:26:45 CEST 2006
Dave Mussulman <mussulma at uiuc.edu> wrote:
> What's the recommended way to configure failover proxying/realms when
> there's no realm-ish identifier? When "user" logs in, I want them to
> check against ntlm_auth, and if that fails, resort back to a proxied
> realm as "user".
That's a little difficult to do, because the "do proxy" code isn't
tied into the "authenticate" section. Instead, you could look the
user up in LDAP, and if they're not found, set "Proxy-To-Realm :=
foo", where "foo" is a normal realm.
> Right now, I'm doing that via the default config realm suffix {}
> module, and a realm NULL section in proxy.conf. Is there a better
> way? Hints or something? Does this involve the
> configurable_failover documentation?
Yes.
> Second question involves proxies and EAP. Since my upstream RADIUS
> server I'm proxying to doesn't seem to support EAP, is it even possible
> for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a
> 'normal' RADIUS packet to relay?
Yes. You can proxy the inner EAP-MSCHAPv2 session as MS-CHAPv2.
Read "eap.conf".
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list