proxy incoming PAP request as outgoing PEAP/TTLS requests

Alan DeKok aland at
Tue Sep 22 14:01:22 CEST 2015

On Sep 21, 2015, at 9:25 PM, Ian Chang-張志邦 <Ian.Chang at> wrote:
> Actually, the captive portal backend service and the freeradius server are on the same device.
> We would like to transfer the requests as PEAP/TTLS before the requests go out the device.

  That's still a bad idea.

  If you need secure communication between the captive portal and the RADIUS server, use IPSec.  Or RADIUS over TLS.

  You would be MUCH better off using a RADIUS proxy on the captive portal to use RADIUS over TLS, then use a RADIUS proxy next to NPS which receives the TLS connection, and then sends PAP to NPS.  That is using the protocols the way they are intended to be used.

  Changing PAP to PEAP / TTLS is the wrong thing to use.  You can get the same benefit with fewer problems by using RADIUS over TLS.

  Alan DeKok.

More information about the Freeradius-Users mailing list