configuring proxy base on eap-type

Alan DeKok aland at deployingradius.com
Mon May 24 18:38:40 CEST 2010


Fred MAISON wrote:
> Yes, JUAC is an inner EAP protocol, inside ttls or peap.

  Then you should be able to proxy it by just proxying the inner tunnel
data.

> I have proposed to replace SteelBelted by freeradius, and I succeed to
> pass initial testings, but my current setup was without inner-tunnel
> modules correctly configured, which makes there is a lot of unneeded
> ldap access (anonymous identities which does not exist in ldap backend
> and so on ...) and impossibility to configure seperately outer and inner
> (when present) author/authent ...

  I don't know what you mean by that.  It shouldn't be much of a problem
to configure it.

> I think I did not gave you enough information : 
> * All NAS point to freeradius
> * All EAP protos without inner tunnel must be authenticated by
> freeradius using a ldap backend (I found existing devices on able to do
> EAP-LEAP for example, but may be there is some other insecure eap types)

  Uh... don't use LEAP.  Use TTLS or PEAP.

> * juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or
> EAP-PEAP/EAP-JUAC (outer/inner)
> * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate
> inner identity against ldap for authorize (ldap radiusgroupname
> membership) and authenticate (most common seems to be mschapv2 using
> ntpassword recovered in ldap during authorize). outer identity will not
> be checked because of encoutered client-side configuration
> inconsistencies.

  So... figure out who's supposed to do EAP-JUAC, and proxy them.
Authenticate everyone else inside of the tunnel.

  Alan DeKok.



More information about the Freeradius-Users mailing list