Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy (forward) request as PAP

Joakim Lindgren joakim.lindgren at gmail.com
Thu Jan 31 23:32:34 CET 2008 

Hi all, thanks for your explanation earlier!

I need your help with EAP-TTLS and PAP. I have earlier setup
EAP-PEAP/EAP-TTLS and EAP-TLS working OK!
I tried configuring the TTLS-PAP inner and outer tunnel but it will not work
(and yes I have searched the forum, as always ;-)

Here are my explanation of what I´m trying to do:

A. If an incoming user conn. against the FreeRadius Server (Nr1) is
belonging to "OTHER" (LOCAL) domain then
the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I
didn´t name the server ;-)

B. If an incoming user conn. against the FreeRadius Server (Nr1) is
belonging to "SECURSERVER" domain then
the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2).

I have tried several different conf. and as best I see requests coming to
Radius Nr2 but the´re encrypted (Wireshark).
The config files looks like this (as for now, thanks in advance!):

================================================================================================
eap.conf
========



        eap {
                default_eap_type = ttls
                       timer_expire     = 60
                  ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                md5 {
                }


                leap {
                }


                gtc {


                        auth_type = PAP
                }


                tls {

                        private_key_password = password
                        private_key_file =
${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem
                        certificate_file =
${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem
                CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                        fragment_size = 1024
                        include_length = yes
                }

                ttls {

                default_eap_type = md5
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                }

                peap {

                        default_eap_type = mschapv2
                proxy_tunneled_request_as_eap = no
                }
                mschapv2 {
                }
        }
===END
EAP======================================================================================






================================================
users
========
DEFAULT           FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm :=
LOCAL
DEFAULT           FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm :=
"SECURACCESS", Auth-Type := PAP
DEFAULT        Auth-Type != LDAP
================================================





================================================
Proxy.conf
========
realm LOCAL {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}

realm SECURACCESS {
        type            = radius
        authhost        = 192.168.1.75:1812
        accthost        = 192.168.1.75:1813
        secret          = toor
#       nostrip
}
================================================





================================================================================================
radiusd.conf
========

...
modules {

        pap {
                auto_header = yes
        }

        chap {
                authtype = CHAP
        }


        pam {
                pam_auth = radiusd
        }


        unix {
              cache = no
                cache_reload = 600
                radwtmp = ${logdir}/radwtmp
        }


$INCLUDE ${confdir}/eap.conf


       mschap {
              use_mppe = yes
            require_encryption = yes
            require_strong = yes
}


ldap {
                server = "192.168.1.71"
                identity = "cn=admin,o=Contonso"
                password = "toor"
                basedn = "o=Contonso"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = yes
                tls_mode = no
                tls_cacertfile =
/etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = nspmPassword
                tls_require_cert = "allow"
                timeout = 4
                timelimit = 3
                net_timeout = 1
                port = 389
            edir_account_policy_check=yes
}


        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }


        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }


...

authorize {

     preprocess
    chap
    mschap
      suffix
      ntdomain
    eap
    files
    ldap
      pap
}



authenticate {

        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }

        unix

        Auth-Type LDAP {
                ldap
        }
        eap
}


post-auth {
    ldap
      Post-Auth-Type REJECT {
      ldap
        }

}

===END
radiusd.conf================================================================================






================================================
clients.conf
========
client 192.168.1.0/24 {
       secret          = toor
       shortname       = private-network-1
}

================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080131/69fb9164/attachment.html>

More information about the Freeradius-Users mailing list