Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS
Bertalan Voros
bertalan.voros at gmail.com
Fri Jan 25 15:15:41 CET 2013
Hi Phil,
Thanks a lot for the quick response.
The reason I was attempting this is because I have to provide a service for
roaming users and I was having issues with obtaining a certificate for the
NPS server.
Does this mean that I could use a self signed certificate for the NPS that
is recognized by the freeradius and have a commercial certificate on the
freeradius that is then recognized by the clients?
So it's kept EAP-MSCHAPv2 all the way.
Is this correct?
Sorry for the lame questions but I am reasonably new to freeradius have
only been using it to blindly proxy requests to the NPS.
On 25 January 2013 13:45, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 01/25/2013 01:19 PM, Bertalan Voros wrote:
>
>> Hello All,
>>
>> Could someone tell me if it is possible to terminate PEAP on a
>> freeradius server then proxy the request to an NPS server using MSCHAPv2?
>>
>
> Yes. Simply set "Proxy-To-Realm" in inner-tunnel/authorize, and FreeRADIUS
> will proxy the packets.
>
> server inner-tunnel {
> authorize {
> ...
> update control {
> Proxy-To-Realm := NPS
> }
> ...
> }
>
> However, personally I would strongly recommend you proxy the inner as
> EAP-MSCHAPv2, rather than using the magic "turn into plain mschapv2" code
> i.e. you *should* set in "eap.conf":
>
> eap {
> ...
> peap {
> ...
> proxy_tunneled_request_as_eap = yes
> ...
> }
> }
>
> If you set this option to "no" the proxied packet will be changed into
> plain MSCHAP, but that code path is complex and has had problems in the
> past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do
> this.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
--
Bertalan Voros
m: 07932858025
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130125/a4025019/attachment.html>
More information about the Freeradius-Users
mailing list