Server verification when proxying

Stephen Mellor Stephen.Mellor at nhs.scot
Tue Oct 28 17:01:21 UTC 2025 

Thanks! From what I could see in the console logs it certainly did appear that everything was being proxied, as one would hope/expect, but I did wonder if I was missing something.
________________________________
From: Alan DeKok <alan.dekok at inkbridge.io>
Sent: Tuesday, October 28, 2025 16:24
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Stephen Mellor <Stephen.Mellor at nhs.scot>
Subject: Re: Server verification when proxying

[You don't often get email from alan.dekok at inkbridge.io. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On Oct 28, 2025, at 11:51 AM, Stephen Mellor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Freeradius 3.2, Windows 11 clients, EAP-TLS server verification.
>
> We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines.

  OK.

> The other organisation say that their users are sometimes prompted to continue with the connection.

  What does that mean?

> Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers?

  If you're proxying packets based on User-Name to another server, then *all* packets for those User-Names will get proxied to the other server.  Which means that the entire EAP-TLS session will get proxied to the other server.

  Your server will not be involved, other than to proxy the packets.  So the users will never connect to your server via EAP-TLS.  And the users will never see your certificate.

  i.e. if their users are seeing problems, it's with their systems, not yours.

> I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input.

  Don't make guesses.  Find out what's going on.

> What I don't understand is why they say that their users are only prompted 'sometimes', not always.

  You'll have to ask them for details.

  Alan DeKok.






--------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the named recipient only. If you have received it by mistake,
please (i) contact the sender by email reply; (ii) delete the email from your system; .
and (iii) do not copy the email or disclose its contents to anyone.

--------------------------------------------------------------------------------------------------------------------------------------------------------

More information about the Freeradius-Users mailing list