Machine authentications with proxy-inner-tunnel and NPS as backend

Herwin Weststrate herwin at
Mon Jul 21 19:03:23 CEST 2014

On 21-07-14 11:10, A.L.M.Buxey at wrote:
> Hi,
>> Has anyone ever tried something like this and got the setup working?
> dont mess with the packets - dont just proxy the inner tunnel to the NPS, send
> all valid stuff at the outer layer to the NPS box for it to deal with (ie make it
> the end EAP termination tunnel). you know that nice setting (check cryptobinding)
> you see on the client? thats designed to check that the EAP termination is actually
> the same server that unwrapped the TLS in the first instance.  use unlang to define
> the proxy group/realm - proxy stuff to the NPS that matches your desire.

I don't really see the relevance of cryptobinding here. The EAP tunnel
is unpacked, and only the contents of it (slightly modified) is sent to
a backend. FreeRADIUS is the EAP terminator and the server that started
with the TLS unwrapping. This scenario shouldn't be too weird, or else
the virtual server proxy-inner-tunnel would not exist in the
distribution. From an EAP point of view, this is not so different from a
setup where the users would be defined in the users-file on the
FreeRADIUS server.

Herwin Weststrate

More information about the Freeradius-Users mailing list