Proxy PEAP to one Radius Server - EAP-TLS to another Radius Server

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 13 15:18:19 CEST 2015


On 13/08/15 14:13, Matthew Newton wrote:
> On Thu, Aug 13, 2015 at 03:05:04PM +0200, Basile Bluntschli wrote:
>> My switch will have the radius server A configured. All radius requests
>> will be sent to the radius server A.
>> If supplicant X wants to authenticate with PEAP, radius server A would
>> handle the full request.
>> If Supplicant Z wants to authenticate with EAP-TLS radius server A would
>> proxy the whole request to Radius Server B.
>>
>> Is there a way to do this?
>
> First thing that comes to mind is to look at the EAP type in the
> incoming EAP-Message, and update proxy-to-realm if it's EAP-TLS.
> Something like this:
>
> if (EAP-Message =~ /^0x........0d/) {
>    update control {
>      Proxy-To-Realm := 'remote_realm'
>    }
> else {
>    eap
> }
>
> but there may be cleaner ways to do it.

I wondered about that; what about the EAP-Identity packet?


More information about the Freeradius-Users mailing list