Is it possible to terminate EAP/Authentication on an entirely different radius box through freeradius?
Max Palatnik
mpalatnik at wustl.edu
Fri Jul 10 22:30:16 CEST 2009
I can't believe it. We had a line in our hints file that was totally
screwing us up -- I had no idea it was there until just now:
DEFAULT Prefix == "anonymous", Strip-User-Name = No
Realm = "LOCAL"
This is why I couldn't understand what you guys were talking about,
since we always use anonymous as our outer-identity for TLS type
connections, I could not for the life of me figure out why adding a
server to the proxy.conf would ever work. Is it possible to select
based on EAP-type (i.e. if TTLS, do LOCAL authentication?) Right not we
are doing it based on prefix/suffix.
Regardless, I think we have this solved now. This problem was way
easier than we thought once we got a grasp on all of the processing we
were doing. Argh! Thank you Ivan & Alan for pointing us in the right
direction.
Sincerely,
Max
A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>
>> What we are wondering is if its possible to still have requests come
>> through to our freeradius box, and instead of providing the certificate
>> and proxying the contents of the inner tunnel to the AD box.. if its
>> possible to simply proxy the entire request, PEAP/MSCHAP and all
>> directly to their AD servers? They are hesitant to allow our freeradius
>> box to join the domain, and if its doable, a workaround would be the
>> preferred route.
>>
>
> yes, sure you can - they'll have to run IAS or NPS (ad2003 or ad2008 etc)
> and then you simply proxy the whole shaboodle off to them to deal with
> - then you dont need to play around with ntlm_auth etc etc. of course,
> they'll have to put required certs onto their auth system but thats a minor
> issue.
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list