configuring proxy base on eap-type
Alan DeKok
aland at deployingradius.com
Mon May 24 18:38:40 CEST 2010
Fred MAISON wrote:
> Yes, JUAC is an inner EAP protocol, inside ttls or peap.
Then you should be able to proxy it by just proxying the inner tunnel
data.
> I have proposed to replace SteelBelted by freeradius, and I succeed to
> pass initial testings, but my current setup was without inner-tunnel
> modules correctly configured, which makes there is a lot of unneeded
> ldap access (anonymous identities which does not exist in ldap backend
> and so on ...) and impossibility to configure seperately outer and inner
> (when present) author/authent ...
I don't know what you mean by that. It shouldn't be much of a problem
to configure it.
> I think I did not gave you enough information :
> * All NAS point to freeradius
> * All EAP protos without inner tunnel must be authenticated by
> freeradius using a ldap backend (I found existing devices on able to do
> EAP-LEAP for example, but may be there is some other insecure eap types)
Uh... don't use LEAP. Use TTLS or PEAP.
> * juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or
> EAP-PEAP/EAP-JUAC (outer/inner)
> * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate
> inner identity against ldap for authorize (ldap radiusgroupname
> membership) and authenticate (most common seems to be mschapv2 using
> ntpassword recovered in ldap during authorize). outer identity will not
> be checked because of encoutered client-side configuration
> inconsistencies.
So... figure out who's supposed to do EAP-JUAC, and proxy them.
Authenticate everyone else inside of the tunnel.
Alan DeKok.
More information about the Freeradius-Users
mailing list