configuring proxy base on eap-type

Fred MAISON fred.maison at gmail.com
Tue May 25 08:37:55 CEST 2010


> Fred MAISON wrote:
> > Yes, JUAC is an inner EAP protocol, inside ttls or peap.
> 
>   Then you should be able to proxy it by just proxying the inner tunnel
> data.
> 
Yes, how can I do that ? May I activate proxy-inner-tunnel site along
with inner-tunnel site ? 
EAP-JUAC EAP-Type seems to be 254. May this help along with ignore
unknown eap type flag ?

> > I have proposed to replace SteelBelted by freeradius, and I succeed to
> > pass initial testings, but my current setup was without inner-tunnel
> > modules correctly configured, which makes there is a lot of unneeded
> > ldap access (anonymous identities which does not exist in ldap backend
> > and so on ...) and impossibility to configure seperately outer and inner
> > (when present) author/authent ...
> 
>   I don't know what you mean by that.  It shouldn't be much of a problem
> to configure it.
> 
> > I think I did not gave you enough information : 
> > * All NAS point to freeradius
> > * All EAP protos without inner tunnel must be authenticated by
> > freeradius using a ldap backend (I found existing devices on able to do
> > EAP-LEAP for example, but may be there is some other insecure eap types)
> 
>   Uh... don't use LEAP.  Use TTLS or PEAP.
> 
I agree with you. And the main goal of the current setup is to catch
enough information to force user/workstations migration to TTLS when
possible ; some devices will remain on LEAP since they seems to be
hardcoded to do LEAP and only LEAP ...
> > * juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or
> > EAP-PEAP/EAP-JUAC (outer/inner)
> > * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate
> > inner identity against ldap for authorize (ldap radiusgroupname
> > membership) and authenticate (most common seems to be mschapv2 using
> > ntpassword recovered in ldap during authorize). outer identity will not
> > be checked because of encoutered client-side configuration
> > inconsistencies.
> 
>   So... figure out who's supposed to do EAP-JUAC, 
Yes, but based on what ? I currently use a real, but this can be changed
by end-user to bypass JUAC host checking capabilities ...
> and proxy them.
> Authenticate everyone else inside of the tunnel.

Yes, it's what I need, but I don't fully master how to do that. May be
the first point related to  enable site proxy-inner-tunnel ?
If so, it seem to be very unselective (I meen ALL protocols doing
inner-tunnel will be proxied to UAC, leaving only EAP-LEAP on
freeradius. This could be a good solution for me.

Best regards
Fred MAISON
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list