Alan DeKok schrieb:
> > > If you're using EAP-TTLS, then the tunneled session
> is often just
> > > normal non-EAP authentication, and that can be
> proxied.
> >
> > (and I suppose the same applies more or less to PEAP?)
>
> No. PEAP tunnels EAP, and only EAP.
I see. However, theoretically, I again could "translate" the tunneled
EAP if it's something that can be translated to a simple CHAP or
PAP (or MS-CHAP) request and forward that. It's obviously not as
easy as for EAP-TTLS, though.
> > So, out of the popular EAP protocols, EAP-TLS is the
> only one,
> > which really can't be proxied at all, unless I'm
> missing something.
>
> Uh, no. *all* EAP methods can be proxied.
Sorry, bad wording on my part, I meant to say
"forwarded to a non-EAP-enabled server"
> > Anyway, for a first try I'd be very happy with being
> able to forward
> > whatever normal non-EAP authentication is used inside
> EAP-TTLS
> > to my old RADIUS server which doesn't support EAP. Is
> that currently
> > possible without hacking the source?
>
> Yes. See the list archives for examples.
Any suggestion for a could search string? The one I figured
out essentially just gave me that mail I referred to ...
Thanks,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
