Terminate EAP in FreeRADIUS and do authentication in other RADIUS server.

Phil Mayers p.mayers at imperial.ac.uk
Sun Oct 28 18:19:52 CET 2007

On Sat, 2007-10-27 at 00:08 +0200, Ruijgrok, Ronald wrote:
> Hi
> I want to do 802.1x PEAP authentication on FreeRADIUS. Authentication
> (username/password checking) needs to be done on another RADIUS server
> (Safeword server), which is uncapable to handle EAP requests.
> What I do have working:
> * PEAP with users in a local MySQL database on the FreeRADIUS server
> * proxy simple authentication requests to Safeword server

If you are using the default windows supplicant, the inner auth type for
PEAP is EAP/MS-CHAP; this is *not* simple username/password.

Most likely the rules you have set are matching, but as I say the inner
EAP type is EAP/MS-CHAP, so you still see EAP packets at the Safeword

You can set:

 peap {
  proxy_tunneled_request_as_eap = no

...in eap.conf and then you'll get plain MS-CHAP at the Safeword server.

> I have configured all kinds of options suggested in this list to try to
> terminate the EAP tunnel in FreeRADIUS, but still EAP messages are sent to
> the Safeword server:
> An RADIUS Access-Request is sent, with these attribute value pairs:
> EAP-Message
> User-Name
> NAS-IP-Address
> Message-Authenticator
> Proxy-State
> I should expect a RADIUS Access-Request with these attribute value pairs:
> User-Name
> User-Password
> NAS-IP-Address
> NAS-Port
> Proxy-State

You will need to use EAP-TTLS/PAP to get exactly this.

More information about the Freeradius-Users mailing list