Authentication problems depending on connection type
Alex Gregory
alex at c2company.com
Thu Oct 30 18:25:28 CET 2014
Thank you, Stefan. This sounds like what I want to do. Since I am using OTP, passwords sent in clear text are ok (and required by the upstream OTP radius server). I hade the proxy setup, but it sounds like I need to figure out how to proxy just the inner tunnel request. I will check the inner-tunnel config even deeper and see what I can come up with. If you have any tip’s I am open. ;)
Thanks,
Alex
> On Oct 24, 2014, at 11:01 AM, Stefan Paetow <Stefan.Paetow at ja.net> wrote:
>
>> I was under the impression that, with EAP, it encapsulates the password in the EAP transmission.
>> If I can only do EAP, then that means it can never send it in the clear. Which means, if I want to send
>> the radius server the password in the clear (since its OTP) what I am doing can’t be done. Is this correct?
>
> Alex,
>
> When you receive an EAP access request, FreeRADIUS will pass the request on to the 'inner-tunnel' server (defined in /etc/raddb/sites-available/inner-tunnel). If you have an OTP server, you can then proxy the inner tunnel request to the OTP server. Of course, you then lose any of the protection that EAP-TTLS provides, but then again, if you're using PAP only, all bets are off anyway.
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> Janet, the UK's research and education network.
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list