Using freeradius as proxy for EAP-SIM/EAP-AKA

Alan DeKok aland at
Mon Jul 1 16:34:13 CEST 2013

Ming-Ching Tiew wrote:
> If I understand you correctly, it means it is only possible to have ONE
> radius server which does EAP SIM/EAP AKA authentication in the entire
> chain of connections ?


  It means that you don't KNOW it's EAP-SIM until after you decide to
proxy it.

> It's not possible for one proxy radius to send request to different EAP
> SIM/EAP AKA radius server (based on certain criteria) ?

  When you're proxying an EAP packet, the ONLY criteria you have is the
EAP identity.  You do NOT have the EAP type available.

> How about Linux LVS ? Will it able to split the EAP-SIM/EAP-AKA request
> to different (final) server based on certain criteria ? 

  No.  Adding a virtual server is no different from adding another
machine on the network.  It won't make any difference.

  The issue is with the EAP protocol.  Not with the network stack.

  Alan DeKok.

More information about the Freeradius-Users mailing list