Machine authentications with proxy-inner-tunnel and NPS as backend

A.L.M.Buxey at A.L.M.Buxey at
Mon Jul 21 11:10:34 CEST 2014


> Has anyone ever tried something like this and got the setup working?

dont mess with the packets - dont just proxy the inner tunnel to the NPS, send
all valid stuff at the outer layer to the NPS box for it to deal with (ie make it
the end EAP termination tunnel). you know that nice setting (check cryptobinding)
you see on the client? thats designed to check that the EAP termination is actually
the same server that unwrapped the TLS in the first instance.  use unlang to define
the proxy group/realm - proxy stuff to the NPS that matches your desire.


More information about the Freeradius-Users mailing list