Server verification when proxying

Wed Oct 29 15:47:00 UTC 2025

Hi Stephen,

It depends on the username that the device(s) provided. As Alan says, your server would not be involved if the packets are proxied to the home organisation. Does the other site have any specifics (i.e. is it always the same user that this happens to, or is it always the same kind of device?).

If you have someone at the organisation in question to liaise with, you could try and conditionally debug things by running FreeRADIUS with this command-line (which forces FR to run in the foreground and handling things in a single thread (I think?):

Ubuntu/Debian: /usr/sbin/freeradius -fxx -l stdout |tee -a /tmp/your-debug-log.log

RedHat/Alma/Centos/Rocky: /usr/sbin/raddb -fxx -l stdout |tee -a /tmp/your-debug-log.log

It will probably scroll like crazy, but the 'your-debug-log.log' file will have it all captured and you can start searching for the MAC address of the device in question and see what the difference in packets is (maybe one uses 'host/blah-blah.realm.tld' as a username while another does it like 'blah-blah at realm.tld' and your server handles them differently. :-)

Lots of variables there, but looking at the debug log helps a lot if you then need to figure it out :-)

Kind regards

Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc

email/teams: stefan.paetow at jisc.ac.uk
gpg: 0x3FCE5142

For eduroam support, please contact the eduroam team via help at jisc.ac.uk and mark it for eduroam’s attention.
I am not available on Mondays and Fridays between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).

Note: I don’t expect a reply outside of your working hours, since I work internationally with colleagues in different nationalities with different religions, customs, and holidays. Reply when it is convenient for you.

Jisc is a registered charity (in England and Wales under charity number 1149740; in Scotland under charity number SC053607) and a company limited by guarantee registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

On 28/10/2025, 17:01, "Freeradius-Users on behalf of Stephen Mellor via Freeradius-Users" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org <mailto:jisc.ac.uk at lists.freeradius.org> on behalf of freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>> wrote:

Thanks! From what I could see in the console logs it certainly did appear that everything was being proxied, as one would hope/expect, but I did wonder if I was missing something.
________________________________
From: Alan DeKok <alan.dekok at inkbridge.io <mailto:alan.dekok at inkbridge.io>>
Sent: Tuesday, October 28, 2025 16:24
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>>
Cc: Stephen Mellor <Stephen.Mellor at nhs.scot <mailto:Stephen.Mellor at nhs.scot>>
Subject: Re: Server verification when proxying

[You don't often get email from alan.dekok at inkbridge.io <mailto:alan.dekok at inkbridge.io>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification <https://aka.ms/LearnAboutSenderIdentification> ]

On Oct 28, 2025, at 11:51 AM, Stephen Mellor via Freeradius-Users <freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>> wrote:
> Freeradius 3.2, Windows 11 clients, EAP-TLS server verification.
>
> We're using EAP-TLS successfully, authenticating locally for our machines, but proxying out to another organisations Cisco ISE servers where we detect that the username is one of their machines.

OK.

> The other organisation say that their users are sometimes prompted to continue with the connection.

What does that mean?

> Our users are not - their machines just connect. Assuming that wifi profiles for both organisations include the option to verify the authentication server, does that initial verification get proxied for the other organisation, or are they attempting to verify our servers?

If you're proxying packets based on User-Name to another server, then *all* packets for those User-Names will get proxied to the other server. Which means that the entire EAP-TLS session will get proxied to the other server.

Your server will not be involved, other than to proxy the packets. So the users will never connect to your server via EAP-TLS. And the users will never see your certificate.

i.e. if their users are seeing problems, it's with their systems, not yours.

> I'm using radiusd -X but I'm finding the logfiles very difficult to parse - from what I can tell the process hangs later in the communications, presumably where the machine is waiting for user input.

Don't make guesses. Find out what's going on.

> What I don't understand is why they say that their users are only prompted 'sometimes', not always.

You'll have to ask them for details.

Alan DeKok.

--------------------------------------------------------------------------------------------------------------------------------------------------------
This email is intended for the named recipient only. If you have received it by mistake,
please (i) contact the sender by email reply; (ii) delete the email from your system; .
and (iii) do not copy the email or disclose its contents to anyone.

--------------------------------------------------------------------------------------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>