Terminate TLS and proxy PEAP
Phil Mayers
p.mayers at imperial.ac.uk
Thu Sep 13 13:07:42 CEST 2007
On Thu, 2007-09-13 at 02:56 -0700, fuki wrote:
>
>
> Phil Mayers wrote:
> >
> > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
> >
> > You can certainly terminate the PEAP and still proxy the inner
> > EAP-MSCHAP to another radius server; however as far as I am aware,
> > FreeRadius doesn't yet have support for the various health state
> > attributes, or for that matter >1 set of data inside the PEAP tunnel.
> >
> > In particular if you are talking about the Vista built-in health check
> > packets, that uses PEAPv2 which FreeRadius doesn't support, and you
> > won't be able to terminate.
> >
>
> Yes I'm talking about the Vista build-in health check packets. I used a
> packet sniffer to analyze the submitted packets and compared them with the
> PEAPv2 specification
> (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11,
> 2.1.4. Version Negotiation). According the specification PEAP v0 is used by
> Vista, so it should be possible to use FreeRadius as proxy to decrypt the
> packages, to analyze the health state (has to be implemented) and to proxy
> the inner
> EAP-MSCHAP to another radius server?
>
Provided FreeRadius can parse the PEAP contents (which it can't) then
yes, sending the inner EAP-MSCHAP to another server is easy:
DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo"
More information about the Freeradius-Users
mailing list