Alan DeKok aland at
Thu Nov 3 00:34:19 CET 2016

On Nov 2, 2016, at 5:38 PM, Davide Belloni <davide.belloni at> wrote:
> for a SSID wireless network I'm trying, without success, to proxy EAP-TLS
> auth (based on certificate's CN) to specific Windows RADIUS that are
> members of two domain on AD.

  As always, read the debug log.  You will see the EAP session being started on FreeRADIUS, and *then* after a few packets, the client certificate shows up.

  i.e. you can't proxy an entire EAP session based on a client certificate that shows up in packet 4.

  You *can* proxy based on User-Name.  But that's (mostly) independent of the client certificate.

> For example what I want to obtain is that:
>   - EAP-TLS of client A, member of domain X, is proxied by Freeradius to
>   RADIUS/AD of that domain
>   - EAP-TLS of client B, member of domain Y, is proxied by Freeradius to
>   RADIUS/AD of that domain
>   - EAP-TLS of client C, member of any domain, is managed by file user

  "client" or User-Name?  It matters.

> I've obtained a similar setup for EAP-TTLS using this configuration in
> inner-tunnel authorize section:

  EAP-TLS mostly don't have an inner-tunnel authorize section.  Also, if you're proxying EAP-TLS, you need to proxy the outer session, not the inner one.

>        if ("%{Called-Station-Id}" =~ /:SSID_S$/ ) {
>            if ("%{User-Name}" =~ /$/ || "%{User-Name}" =~ /\.
>$/ || "%{User-Name}" =~ /^DOMAINX\\\\/ ) {
>                update control {
>                    Proxy-To-Realm := 'AD_DOMAINX'
>                }
>            }
>        }

  Which proxies the *inner* authentication to the other server.  It doesn't proxy the EAP-TTLS exchange.

  And you can't proxy based on EAP type (TLS or TTLS), because that comes in the second packet of the EAP exchange.

> Is it possible to obtain this setup with EAP-TLS? How?


  The simplest thing by far is to just proxy domain A to server A, and domain B to server B.  That's what the "realms" configuration does.

  Alan DeKok.

More information about the Freeradius-Users mailing list