configuring proxy base on eap-type

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Mon May 24 17:58:40 CEST 2010


Hi,

> Yes, JUAC is an inner EAP protocol, inside ttls or peap. In our setup,
> It must be prefered because I have powerfull client-side host-checking
> features allowing to deeply control a lot of things mainly on Microsoft
> and Apple workstations (update level, antivirus, and so on ...)
> Customer tried to make it work with the help of Juniper's engineers
> using SteelBelted in front doing proxy to UAC for inner JUAC, but they
> failed because there is some other EAP protocols present in the
> production network they have not been able to support after many weeks
> of efforts. 
> I have proposed to replace SteelBelted by freeradius, and I succeed to
> pass initial testings, but my current setup was without inner-tunnel
> modules correctly configured, which makes there is a lot of unneeded
> ldap access (anonymous identities which does not exist in ldap backend
> and so on ...) and impossibility to configure seperately outer and inner
> (when present) author/authent ...

hmmm...apart from the Apple OSX support I'd be tempted to point you to the
SVN of FreeRADIUS that contains microsoft NAC support - which lets you check
windows stuff (anti virus present/up to date, windows updates, firewall etc)
just using the built in supplicant in XP SP3, Vista and 7.   
it should be present in FreeRADIUS 2.2.x - but no OSX support yet...because
I think that'll need additional program/supplicant code on the client.

regarding you query though.....hmmm, you should be able to see the EAP-Type
and do something in unlang to update the control socket....but as its the
inner type that might be too late in the process. or maybe not.  in inner-tunnel
itself you can allow extra proxying to occur. its nasty and you'd be treading
down a path that less people have worn...so take care.

alan



More information about the Freeradius-Users mailing list