Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP
Ivan Kalik
tnt at kalik.net
Fri Feb 1 01:14:52 CET 2008
Think about upgrading to 2.0.1. You can then configure default home
server to handle requests A and another virtual server to terminate TLS
and proxy PAP requests to a remote home server.
I don't quite get this bit about encrypted requests. Radius packets
*are* encrypted.
Ivan Kalik
Kalik Informatika ISP
Dana 31/1/2008, "Joakim Lindgren" <joakim.lindgren at gmail.com> piše:
>Hi all, thanks for your explanation earlier!
>
>I need your help with EAP-TTLS and PAP. I have earlier setup
>EAP-PEAP/EAP-TTLS and EAP-TLS working OK!
>I tried configuring the TTLS-PAP inner and outer tunnel but it will not work
>(and yes I have searched the forum, as always ;-)
>
>Here are my explanation of what I´m trying to do:
>
>A. If an incoming user conn. against the FreeRadius Server (Nr1) is
>belonging to "OTHER" (LOCAL) domain then
>the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I
>didn´t name the server ;-)
>
>B. If an incoming user conn. against the FreeRadius Server (Nr1) is
>belonging to "SECURSERVER" domain then
>the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2).
>
>I have tried several different conf. and as best I see requests coming to
>Radius Nr2 but the´re encrypted (Wireshark).
>The config files looks like this (as for now, thanks in advance!):
>
>================================================================================================
>eap.conf
>========
>
>
>
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> md5 {
> }
>
>
> leap {
> }
>
>
> gtc {
>
>
> auth_type = PAP
> }
>
>
> tls {
>
> private_key_password = password
> private_key_file =
>${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem
> certificate_file =
>${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem
> CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> fragment_size = 1024
> include_length = yes
> }
>
> ttls {
>
> default_eap_type = md5
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> }
>
> peap {
>
> default_eap_type = mschapv2
> proxy_tunneled_request_as_eap = no
> }
> mschapv2 {
> }
> }
>===END
>EAP======================================================================================
>
>
>
>
>
>
>================================================
>users
>========
>DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm :=
>LOCAL
>DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm :=
>"SECURACCESS", Auth-Type := PAP
>DEFAULT Auth-Type != LDAP
>================================================
>
>
>
>
>
>================================================
>Proxy.conf
>========
>realm LOCAL {
> type = radius
> authhost = LOCAL
> accthost = LOCAL
>}
>
>realm SECURACCESS {
> type = radius
> authhost = 192.168.1.75:1812
> accthost = 192.168.1.75:1813
> secret = toor
># nostrip
>}
>================================================
>
>
>
>
>
>================================================================================================
>radiusd.conf
>========
>
>....
>modules {
>
> pap {
> auto_header = yes
> }
>
> chap {
> authtype = CHAP
> }
>
>
> pam {
> pam_auth = radiusd
> }
>
>
> unix {
> cache = no
> cache_reload = 600
> radwtmp = ${logdir}/radwtmp
> }
>
>
>$INCLUDE ${confdir}/eap.conf
>
>
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
>}
>
>
>ldap {
> server = "192.168.1.71"
> identity = "cn=admin,o=Contonso"
> password = "toor"
> basedn = "o=Contonso"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = yes
> tls_mode = no
> tls_cacertfile =
>/etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_attribute = nspmPassword
> tls_require_cert = "allow"
> timeout = 4
> timelimit = 3
> net_timeout = 1
> port = 389
> edir_account_policy_check=yes
>}
>
>
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
>
>
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
>
>
>....
>
>authorize {
>
> preprocess
> chap
> mschap
> suffix
> ntdomain
> eap
> files
> ldap
> pap
>}
>
>
>
>authenticate {
>
> Auth-Type PAP {
> pap
> }
>
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
>
> unix
>
> Auth-Type LDAP {
> ldap
> }
> eap
>}
>
>
>post-auth {
> ldap
> Post-Auth-Type REJECT {
> ldap
> }
>
>}
>
>===END
>radiusd.conf================================================================================
>
>
>
>
>
>
>================================================
>clients.conf
>========
>client 192.168.1.0/24 {
> secret = toor
> shortname = private-network-1
>}
>
>================================================
>
>
More information about the Freeradius-Users
mailing list