Server verification when proxying

[Alan DeKok]

On Oct 28, 2025, at 11:51 AM, Stephen Mellor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Freeradius 3.2, Windows 11 clients, EAP-TLS server verification.
> 
> We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines.

  OK.

> The other organisation say that their users are sometimes prompted to continue with the connection.

  What does that mean?

> Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers?

  If you're proxying packets based on User-Name to another server, then *all* packets for those User-Names will get proxied to the other server.  Which means that the entire EAP-TLS session will get proxied to the other server.

  Your server will not be involved, other than to proxy the packets.  So the users will never connect to your server via EAP-TLS.  And the users will never see your certificate.

  i.e. if their users are seeing problems, it's with their systems, not yours.

> I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input.

  Don't make guesses.  Find out what's going on.

> What I don't understand is why they say that their users are only prompted 'sometimes', not always.

  You'll have to ask them for details.

  Alan DeKok.