proxy incoming PAP request as outgoing PEAP/TTLS requests

Ian Chang-張志邦 Ian.Chang at
Tue Sep 22 03:25:19 CEST 2015

Hi Alan,

Thanks for your comment.
Actually, the captive portal backend service and the freeradius server are on the same device.
We would like to transfer the requests as PEAP/TTLS before the requests go out the device.

Thanks a lot.

-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Alan DeKok
Sent: Tuesday, September 22, 2015 9:02 AM
To: FreeRadius users mailing list
Subject: Re: proxy incoming PAP request as outgoing PEAP/TTLS requests

On Sep 21, 2015, at 8:57 PM, Ian Chang-張志邦 <Ian.Chang at> wrote:
> This is exactly we would like to do.
> captive portal ------PAP-----> freeradius server ----PEAP/TTLS------> another radius server


> As you said, it is a dangerous thing to accept PAP and it is not enabled on NPS by default.

  That isn't true.

> Hence, we would like to proxy the PAP requests as PEAP/TTLS requests.
> It is better that we could authenticate with the upstream server in the tunnel.

  No.  That's not true, either.

  The whole point of EAP is that NO ONE outside of the end user, and home server know what the password is.  The access point doesn't know it.  The intermediate proxies don't know it.

  Since the captive portal already sees the PAP password, adding EAP is useless.  It's *worse* than useless because it's adding complexity for no benefit.

  This is like saying "locks as good.  But my house is old, and doesn't have a lock on the front door.  So I'll put a lock on the floor beside my bed.  That will help!"

  No, it won't help.

  Alan DeKok.

List info/subscribe/unsubscribe? See
This email and any files transmitted with it may contain information of ZyXEL Communications Corporation that are privileged / confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, disclose, distribute, copy, or use this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

More information about the Freeradius-Users mailing list