Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP

Ivan Kalik tnt at kalik.net
Fri Feb 1 01:32:21 CET 2008


Sorry, I just read your subject line. What is the request sent from the
supplicant: PEAP or EAP-TTLS/PAP?

Ivan Kalik
Kalik Informatika ISP


Dana 31/1/2008, "Joakim Lindgren" <joakim.lindgren at gmail.com> piše:

>Hi all, thanks for your explanation earlier!
>
>I need your help with EAP-TTLS and PAP. I have earlier setup
>EAP-PEAP/EAP-TTLS and EAP-TLS working OK!
>I tried configuring the TTLS-PAP inner and outer tunnel but it will not work
>(and yes I have searched the forum, as always ;-)
>
>Here are my explanation of what I´m trying to do:
>
>A. If an incoming user conn. against the FreeRadius Server (Nr1) is
>belonging to "OTHER" (LOCAL) domain then
>the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I
>didn´t name the server ;-)
>
>B. If an incoming user conn. against the FreeRadius Server (Nr1) is
>belonging to "SECURSERVER" domain then
>the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2).
>
>I have tried several different conf. and as best I see requests coming to
>Radius Nr2 but the´re encrypted (Wireshark).
>The config files looks like this (as for now, thanks in advance!):
>
>================================================================================================
>eap.conf
>========
>
>
>
>        eap {
>                default_eap_type = ttls
>                       timer_expire     = 60
>                  ignore_unknown_eap_types = no
>                cisco_accounting_username_bug = no
>                md5 {
>                }
>
>
>                leap {
>                }
>
>
>                gtc {
>
>
>                        auth_type = PAP
>                }
>
>
>                tls {
>
>                        private_key_password = password
>                        private_key_file =
>${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem
>                        certificate_file =
>${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem
>                CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem
>                        dh_file = ${raddbdir}/certs/dh
>                        random_file = ${raddbdir}/certs/random
>                        fragment_size = 1024
>                        include_length = yes
>                }
>
>                ttls {
>
>                default_eap_type = md5
>                copy_request_to_tunnel = yes
>                use_tunneled_reply = yes
>                }
>
>                peap {
>
>                        default_eap_type = mschapv2
>                proxy_tunneled_request_as_eap = no
>                }
>                mschapv2 {
>                }
>        }
>===END
>EAP======================================================================================
>
>
>
>
>
>
>================================================
>users
>========
>DEFAULT           FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm :=
>LOCAL
>DEFAULT           FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm :=
>"SECURACCESS", Auth-Type := PAP
>DEFAULT        Auth-Type != LDAP
>================================================
>
>
>
>
>
>================================================
>Proxy.conf
>========
>realm LOCAL {
>        type            = radius
>        authhost        = LOCAL
>        accthost        = LOCAL
>}
>
>realm SECURACCESS {
>        type            = radius
>        authhost        = 192.168.1.75:1812
>        accthost        = 192.168.1.75:1813
>        secret          = toor
>#       nostrip
>}
>================================================
>
>
>
>
>
>================================================================================================
>radiusd.conf
>========
>
>....
>modules {
>
>        pap {
>                auto_header = yes
>        }
>
>        chap {
>                authtype = CHAP
>        }
>
>
>        pam {
>                pam_auth = radiusd
>        }
>
>
>        unix {
>              cache = no
>                cache_reload = 600
>                radwtmp = ${logdir}/radwtmp
>        }
>
>
>$INCLUDE ${confdir}/eap.conf
>
>
>       mschap {
>              use_mppe = yes
>            require_encryption = yes
>            require_strong = yes
>}
>
>
>ldap {
>                server = "192.168.1.71"
>                identity = "cn=admin,o=Contonso"
>                password = "toor"
>                basedn = "o=Contonso"
>                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                start_tls = yes
>                tls_mode = no
>                tls_cacertfile =
>/etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem
>                dictionary_mapping = ${raddbdir}/ldap.attrmap
>                ldap_connections_number = 5
>                password_attribute = nspmPassword
>                tls_require_cert = "allow"
>                timeout = 4
>                timelimit = 3
>                net_timeout = 1
>                port = 389
>            edir_account_policy_check=yes
>}
>
>
>        realm suffix {
>                format = suffix
>                delimiter = "@"
>                ignore_default = no
>                ignore_null = no
>        }
>
>
>        realm ntdomain {
>                format = prefix
>                delimiter = "\\"
>                ignore_default = no
>                ignore_null = no
>        }
>
>
>....
>
>authorize {
>
>     preprocess
>    chap
>    mschap
>      suffix
>      ntdomain
>    eap
>    files
>    ldap
>      pap
>}
>
>
>
>authenticate {
>
>        Auth-Type PAP {
>                pap
>        }
>
>        Auth-Type CHAP {
>                chap
>        }
>        Auth-Type MS-CHAP {
>                mschap
>        }
>
>        unix
>
>        Auth-Type LDAP {
>                ldap
>        }
>        eap
>}
>
>
>post-auth {
>    ldap
>      Post-Auth-Type REJECT {
>      ldap
>        }
>
>}
>
>===END
>radiusd.conf================================================================================
>
>
>
>
>
>
>================================================
>clients.conf
>========
>client 192.168.1.0/24 {
>       secret          = toor
>       shortname       = private-network-1
>}
>
>================================================
>
>




More information about the Freeradius-Users mailing list