I put the following in the eap.conf file:
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
copy_request_to_tunnel = yes
}And put this in the top of the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "adt.com"
I'm gonna do some more testing, but it looks like this works. I can proxy the inner MSCHAP authentication either to my other freeradius test server, or to my Microsoft IAS server (which was the real point).
Now I'm gonna try and add LEAP and TTLS.
Thanks for all your help man! You rock!
On Apr 14, 2004, at 9:46 AM, Alan DeKok wrote:
Bob McCormick <[EMAIL PROTECTED]> wrote:If I include both of these lines:
DEFAULT FreeRADIUS-Proxied-To =* 127.0.0.1, Proxy-To-Realm := LOCAL
Hmm... I think that should have been "!*" instead of "=*".
Then the "myrealm" radius server does receive a request from the proxy,
but issues the following complaint in it's output logs:
auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.
So... configure the "myrealm" radius server to handle whatever authentication is in the tunneled session.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
