Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
Max Palatnik
mpalatnik at wustl.edu
Fri Jul 10 20:11:08 CEST 2009
Hi all,
I have a question that some coworkers and I have been unable to answer
in the last few weeks and we are hoping to have your insight. Here are
the details (if I leave something important out, please let me know):
We are running radiusd: FreeRADIUS Version 1.1.7, for host
sparc-sun-solaris2.10
Currently we have TTLS/PAP authentication setup and working just fine.
Some authentication occurs locally, while other realms are proxied off
to another radius server that share a secret with us, but all TTLS
tunnels are terminated by our freeradius box and then proxying is done
radius to radius server.
In the near future we will have some AD servers (LDAP) which will
authenticate enterprise-wide credentials that are being issued to
everyone on campus. In lab, we have made PEAP terminate on freeradius
and then have used ntlm_auth & samba to proxy ms_chap out to the AD
server for authentication.
What we are wondering is if its possible to still have requests come
through to our freeradius box, and instead of providing the certificate
and proxying the contents of the inner tunnel to the AD box.. if its
possible to simply proxy the entire request, PEAP/MSCHAP and all
directly to their AD servers? They are hesitant to allow our freeradius
box to join the domain, and if its doable, a workaround would be the
preferred route.
I hope this makes sense and thanks for any help offered.
Sincerely,
Max
More information about the Freeradius-Users
mailing list