Terminate EAP in FreeRADIUS and do authentication in other RADIUS server.
Phil Mayers
p.mayers at imperial.ac.uk
Sun Oct 28 18:19:52 CET 2007
On Sat, 2007-10-27 at 00:08 +0200, Ruijgrok, Ronald wrote:
> Hi
>
> I want to do 802.1x PEAP authentication on FreeRADIUS. Authentication
> (username/password checking) needs to be done on another RADIUS server
> (Safeword server), which is uncapable to handle EAP requests.
>
> What I do have working:
> * PEAP with users in a local MySQL database on the FreeRADIUS server
> * proxy simple authentication requests to Safeword server
If you are using the default windows supplicant, the inner auth type for
PEAP is EAP/MS-CHAP; this is *not* simple username/password.
Most likely the rules you have set are matching, but as I say the inner
EAP type is EAP/MS-CHAP, so you still see EAP packets at the Safeword
server.
You can set:
peap {
proxy_tunneled_request_as_eap = no
}
...in eap.conf and then you'll get plain MS-CHAP at the Safeword server.
>
>
> I have configured all kinds of options suggested in this list to try to
> terminate the EAP tunnel in FreeRADIUS, but still EAP messages are sent to
> the Safeword server:
> An RADIUS Access-Request is sent, with these attribute value pairs:
> EAP-Message
> User-Name
> NAS-IP-Address
> Message-Authenticator
> Proxy-State
>
> I should expect a RADIUS Access-Request with these attribute value pairs:
> User-Name
> User-Password
> NAS-IP-Address
> NAS-Port
> Proxy-State
You will need to use EAP-TTLS/PAP to get exactly this.
More information about the Freeradius-Users
mailing list