Proxy CHAP into EAP session

Jonathan huffelduffel at gmail.com
Fri Sep 22 20:41:40 CEST 2017


I can also receive PAP (cleartext) and convert it.

The problem I have is that the secondary backend only supports RADIUS EAP
messages and it cannot be changed while the NAS doesn't support EAP
messages..., so i need to somehow broker between the two.

How could i tunnel CHAP inside of EAP-TTLS, that would be very useful.

Can i do this somehow by calling / using radeapclient? even though i would
need to catch the responses from radeapclient back...


On Fri, Sep 22, 2017 at 8:20 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 22, 2017, at 1:54 PM, Jonathan <huffelduffel at gmail.com> wrote:
> >
> > I'm looking for a way on how to proxy / recreate a session into an EAP
> > session.
> >
> > STEPS
> > 1
> > normal RADIUS session with CHAP password
> > Received by RADIUS server1
> >
> > 2
> > RADIUS server1 converts/proxies it into a second RADIUS request but as an
> > EAP session towards a RADIUS server2 which handles the full request.
>
>   It's not possible.
>
>   It may be theoretically possible to convert CHAP to EAP-MD5, but that
> isn't very useful.
>
>   It may also be theoretically possible to tunnel CHAP inside of EAP-TTLS,
> but that also isn't useful.  And FreeRADIUS can't do it.
>
>   The better question is why are you trying to do this?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list