Terminate TLS and proxy PEAP

Phil Mayers p.mayers at imperial.ac.uk
Thu Sep 13 10:48:36 CEST 2007


On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
> Hi
> 
> At the moment I use FreeRADIUS to proxy eap peap mschapv2 request to a
> RADIUS server for authentication. The connecting machine submits in addition
> to the authentication information, some
> information about it's health state encrypted in the PEAP packets.
> 
> Is there a possibility to decrypt the packets on the FreeRADIUS Proxy, to
> get the health state, and forward the PEAP packets for authentication to the
> RADIUS server. Or in other words is there a possibility to determine the
> TLS-Connection on the FreeRADIUS proxy and to forward the PEAP packets to
> the RADIUS Server and how the FreeRADIUS proxy has to be configured?

You can certainly terminate the PEAP and still proxy the inner
EAP-MSCHAP to another radius server; however as far as I am aware,
FreeRadius doesn't yet have support for the various health state
attributes, or for that matter >1 set of data inside the PEAP tunnel.

In particular if you are talking about the Vista built-in health check
packets, that uses PEAPv2 which FreeRadius doesn't support, and you
won't be able to terminate.




More information about the Freeradius-Users mailing list