Proxy EAP-TLS
Alan DeKok
aland at deployingradius.com
Thu Nov 3 00:34:19 CET 2016
On Nov 2, 2016, at 5:38 PM, Davide Belloni <davide.belloni at gmail.com> wrote:
>
> for a SSID wireless network I'm trying, without success, to proxy EAP-TLS
> auth (based on certificate's CN) to specific Windows RADIUS that are
> members of two domain on AD.
As always, read the debug log. You will see the EAP session being started on FreeRADIUS, and *then* after a few packets, the client certificate shows up.
i.e. you can't proxy an entire EAP session based on a client certificate that shows up in packet 4.
You *can* proxy based on User-Name. But that's (mostly) independent of the client certificate.
> For example what I want to obtain is that:
>
> - EAP-TLS of client A, member of domain X, is proxied by Freeradius to
> RADIUS/AD of that domain
> - EAP-TLS of client B, member of domain Y, is proxied by Freeradius to
> RADIUS/AD of that domain
> - EAP-TLS of client C, member of any domain, is managed by file user
"client" or User-Name? It matters.
> I've obtained a similar setup for EAP-TTLS using this configuration in
> inner-tunnel authorize section:
EAP-TLS mostly don't have an inner-tunnel authorize section. Also, if you're proxying EAP-TLS, you need to proxy the outer session, not the inner one.
> if ("%{Called-Station-Id}" =~ /:SSID_S$/ ) {
> if ("%{User-Name}" =~ /@domainx.com$/ || "%{User-Name}" =~ /\.
> domainx.com$/ || "%{User-Name}" =~ /^DOMAINX\\\\/ ) {
> update control {
> Proxy-To-Realm := 'AD_DOMAINX'
> }
> }
> }
Which proxies the *inner* authentication to the other server. It doesn't proxy the EAP-TTLS exchange.
And you can't proxy based on EAP type (TLS or TTLS), because that comes in the second packet of the EAP exchange.
> Is it possible to obtain this setup with EAP-TLS? How?
Maybe.
The simplest thing by far is to just proxy domain A to server A, and domain B to server B. That's what the "realms" configuration does.
Alan DeKok.
More information about the Freeradius-Users
mailing list