Adding proxying to our EAP setup

Phil Mayers p.mayers at
Wed Oct 11 01:24:36 CEST 2006

Dave Mussulman wrote:
> The catch I ran into involved the mschap section not authenticating off
> the User-Password in the users file if I had ntlm_auth line configured.
> This is my test system, and I don't have samba/winbindd configured so
> those attempts always failed, but it never seemed to fall back to
> figuring out itself.  That made troubleshooting difficult when I
> couldn't get the simple users file entry to work.  Commenting out the
> ntlm_auth line did the trick.  I haven't changed anything on our
> production servers, but it must do things differently as we have
> ntlm_auth configured and authenticating from the AD or a sql database
> with local passwords.  Maybe FreeRADIUS handles different ntlm_auth
> failures differently (cannot bind versus bad user password?)

You need something like this:

alocaluser	User-Password := "astring", MS-CHAP-Use-NTLM-Auth := 0

...which lets you use ntlm_auth for some users, but override it on a 
case-by-case basis.

> Until the upstream server gets the functionality I'm looking for, there
> were a few possible future issues I wanted to document before I lost
> them.  If I set copy_request_to_tunnel in peap to yes, my NAS-IP-Address
> == trick doesn't work.  I was also concerned that proxying

Hmm. Yes, that would occur, and in many cases copy_request_to_tunnel is 
highly desirable. Not sure how to handle that.

> seems to keep the NAS-IP-Address set to, and I didn't know if
> the upstream provider would be concerned about that.  I put a setting in
> the preproxy_users file to set that to an allowed NAS IP, but didn't get
> to fully test/confirm that worked.

Yes again. Hmm. Not really optimal - the ideal situation would be 
copy_request_to_tunnel to give the original NAS IPs/ports/etc. to the 
upstream server, but as you say that breaks the match for the inner eap. 
I guess inner/outer should really be a FreeRadius internal attribute.

 From the look of the code however, fake requests will have 
Client-IP-Address set to by the "preprocess" module, and 
that's a FreeRadius internal/not-on-the-wire attribute - you should be 
able to replace matching on NAS-IP-Address with Client-IP-Address and 
set copy_request_to_tunnel and all would be well

> Thanks again for the help, and great product!
> Dave
> - 
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list