Proxying EAP-TTLS requests via 2.1.0 to 1.1.7

Alan DeKok aland at deployingradius.com
Wed Sep 24 14:28:43 CEST 2008 

Peter Eriksson wrote:
> I'm trying to set up a rather complicated RADIUS structure that I hope
> will be able to support a number of different needs.

  2.1 should be *much* easier than 1.1.x.  See the virtual server
configuration.  It means that one server can do all of this, while still
keeping each configuration separate.

> It seems I should be able to distinguish at the RADIUS server side
> between #1 and #2 via the "Called-Station-Id" attribute since the
> D-Link AP's we are using sets that to something like:

  Yes.

> Users connecting to the 802.1x enabled physical ethernet ports should

  First, write down how those requests are different from (1) and (2).
Then, use that information to create policies.

> Modem pool users should accept request from three different realms

  Again, first decide how these requests are different from the previous
ones.  Then, create policies.

> VPN pool users should do something similar to #4 but using the
> Nortel-specific attributes.

  And how are these requests distinguished from others?

> Anyway - what I'm curious about is if there are others 'out there' that
> have done similar stuff before?

  Yes.  Lots.

> Any cookbooks for setting up a FreeRadius 2 server in an EDUROAM
> environment?

  I don't have links handy, but yes...


> FreeRadius 2.1.0 directly to the Access Point (with a response received
> via Proxying to the same 1.1.7 server):
...
> Sending Access-Accept of id 6 to 192.168.160.158 port 1036
>         Vendor-Specific =
> 0x0000013711348565439b6986f71bfa7425319eac8dd791f24936bc66a8cdd928a91c9c4343958ef040212
> 4dd4f552726302e356b878e6474
>         Vendor-Specific =
> 0x0000013710348b855687f3a4ef1194289232229fe0be952c98689fb606c1e9d6ceae6a388baee98eeb292
> be2d41ae58efa7f67737dec758c
>         EAP-Message = 0x03060004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "testson"
> Finished request 6.
> 
> (I assume that 'Vendor-Specific' stuff is the MS-MPPE-Recv-Key stuff
> that the 1.1.7 talks about).

  Yes.  But it's *not* being printed as MS-MPPE-Recv-Key, which means
you've broken the dictionaries somehow.

  Alan DeKok.

More information about the Freeradius-Users mailing list