Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy (forward) request as PAP

Guy Davies aguydavies at gmail.com
Thu Jan 31 11:43:04 CET 2008


Joakim

You could certainly do this with EAP-TTLS/PAP.  I know because I've
done it myself in a previous job.

It's quite simple really.  You have the outer authentication using one
realm (possibly the null realm and using the name 'anonymous').  In
the inner authentication, you use another realm that is proxied by the
FreeRADIUS server to the remote server supporting PAP.  I've done
exactly this with CryptoCARD servers and with Vasco servers.  You may
need to strip the decoration from the username before forwarding the
PAP authentication request to the back end server.

e.g. guyd at foo.com might need to be reduced to just guyd before that
username would be correctly authenticated by the backend server.

Rgds,

Guy

On 31/01/2008, Joakim Lindgren <joakim.lindgren at gmail.com> wrote:
> Hi all (and really thanks to Alan DeKok),
>
> I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius
> and IAS.
> A software I´m using is offering two factor authentication and they got
> their own Radius who only supports PAP.
>
> Is it possible to terminate the client EAP connection at the FreeRadius
> proxy and forward the request as a PAP to
> the software vendors own Radius.
>
> In that case it works, briefly how do I do?
>
> Thanks all!
>  (Im going to buy Alan DeKok coming FreeRadius book ;-)
>
> Sincerely Joakim
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list