Alan DeKok schrieb: > > > If you're using EAP-TTLS, then the tunneled session > is often just > > > normal non-EAP authentication, and that can be > proxied. > > > > (and I suppose the same applies more or less to PEAP?) > > No. PEAP tunnels EAP, and only EAP.
I see. However, theoretically, I again could "translate" the tunneled EAP if it's something that can be translated to a simple CHAP or PAP (or MS-CHAP) request and forward that. It's obviously not as easy as for EAP-TTLS, though. > > So, out of the popular EAP protocols, EAP-TLS is the > only one, > > which really can't be proxied at all, unless I'm > missing something. > > Uh, no. *all* EAP methods can be proxied. Sorry, bad wording on my part, I meant to say "forwarded to a non-EAP-enabled server" > > Anyway, for a first try I'd be very happy with being > able to forward > > whatever normal non-EAP authentication is used inside > EAP-TTLS > > to my old RADIUS server which doesn't support EAP. Is > that currently > > possible without hacking the source? > > Yes. See the list archives for examples. Any suggestion for a could search string? The one I figured out essentially just gave me that mail I referred to ... Thanks, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html