freeradius proxy with 802.1x termination

John Gammons jgammons at gmail.com
Thu Jan 7 16:19:53 CET 2010


Thanks for the tips guys.  Been doing some more digging and learning a
lot... but maybe I should take a step back here and explain what I am
trying to accomplish....

My client "Ubiquity Nanostation" only supports EAP-TTLS MSCHAPv2.

My NAS, only supports access-requests using PAP/CHAP passwords in clear-text.

I am attempting to setup a "Radius Proxy" that terminates the EAP-TTLS
outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text
user/pass to the NAS for authentication.  The more I read, the more I
am getting the impression that this is not possible.  Is that the
case?

John

On Wed, Jan 6, 2010 at 3:43 PM, Alan DeKok <aland at deployingradius.com> wrote:
> John Gammons wrote:
>> After doing some more digging, I think I am catching onto this... somewhat.
>>
>> It sounds like I need to have the Radius Proxy, authenticate the Outer
>> Identity of the EAP-TTLS session locally, while the Inner Identity is
>> proxied to the Home Radius server.
>
>  Yes.
>
>> I have setup the Outer identity to be Anonymous at outer which is proxied
>> to LOCAL,
>
>  Er... no.  Don't proxy it.
>
>> while the Inner identity is @inner and proxied to Home
>> Radius.  The problem is that when I run radiusd -x, I never see the
>> @outer message, so the @inner is getting forwarded as an EAP, instead
>> of only as a MS-CHAP-V2.
>
>  See eap.conf, proxy_tunneled_request_as_eap.
>
>> Anyone know what I am overlooking?  I have a crude understanding of
>> this entire process at best, I know.  :)
>
>  See doc/aaa.txt for a simple introduction to the process.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list