STILL Trying to get tunneling to work- resolved, and a question

Alan DeKok aland at deployingradius.com
Fri Jan 29 20:44:08 CET 2010


Mike Bernhardt wrote:
> I found the major problem that caused my configuration to not work. This was
> in regards to getting freeradius to proxy EAP/PEAP to IAS servers as
> standard CHAP.

  ?  That's impossible.  PEAP uses a MD4 hash of the password, and CHAP
uses an MD5 hash of the password.  You can't turn one into the other.

  Perhaps you mean something else, like proxying PEAP as plain MS-CHAP?

> The solution was to back down to 2.1.4. Is this a bug that was introduced
> after that, or what? I can email config files to whomever needs them to work
> on it.

  Sure.  Send them over.

> So, I now have another question: I have set up 2 IAS servers in a pool. I
> would like to drastically reduce the timeout before freeradius fails over to
> the 2nd one. How do I do that? Right now it takes about 30 seconds but I
> don't see a variable to change that.

  See proxy.conf.  The variables there control fail-over per home server.

> I also noticed that the status requests, which begin after it has marked a
> server as bad, do not work.

  What does that mean?

> How do I use the user name and [bad] password to
> check status and bring it back sooner? It only seems to try it once and
> that's it.

  It does try more than once...

  Alan DeKok.



More information about the Freeradius-Users mailing list