Terminate TLS and proxy PEAP

tnt at kalik.co.yu tnt at kalik.co.yu
Thu Sep 13 14:13:33 CEST 2007


Try reading the post you have replied to.

Ivan Kalik
Kalik Informatika ISP


Dana 13/9/2007, "fuki" <lukas.akermann at unifr.ch> piše:

>
>
>
>Phil Mayers wrote:
>>
>> On Thu, 2007-09-13 at 02:56 -0700, fuki wrote:
>>>
>>>
>>> Phil Mayers wrote:
>>> >
>>> > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote:
>>> >
>>> > You can certainly terminate the PEAP and still proxy the inner
>>> > EAP-MSCHAP to another radius server; however as far as I am aware,
>>> > FreeRadius doesn't yet have support for the various health state
>>> > attributes, or for that matter >1 set of data inside the PEAP tunnel.
>>> >
>>> > In particular if you are talking about the Vista built-in health check
>>> > packets, that uses PEAPv2 which FreeRadius doesn't support, and you
>>> > won't be able to terminate.
>>> >
>>>
>>> Yes I'm talking about the Vista build-in health check packets. I used a
>>> packet sniffer to analyze the submitted packets and compared them with
>>> the
>>> PEAPv2 specification
>>> (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11,
>>> 2.1.4. Version Negotiation). According the specification PEAP v0 is used
>>> by
>>> Vista, so it should be possible to use FreeRadius as proxy to decrypt the
>>> packages, to analyze the health state (has to be implemented) and to
>>> proxy
>>> the inner
>>> EAP-MSCHAP to another radius server?
>>>
>>
>> Provided FreeRadius can parse the PEAP contents (which it can't) then
>> yes, sending the inner EAP-MSCHAP to another server is easy:
>>
>> DEFAULT	FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo"
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>Based on
>http://lists.freeradius.org/pipermail/freeradius-users/2005-March/042098.html
>I got the following idea (it's suggested to work with FreeRadius):
>
>RADIUS Client <- PEAP (eap-mschapv2) -> FreeRadius Proxy (tsl termination
>and conversion) <- mschapv2 -> RADIUS Server
>
>Are there any comments for this recommendation. If it works, does somebody
>now how to configure the FreeRadius proxy?
>--
>View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a12653324
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list