Okay...one step closer. I had been using a debian version of freeradius
1.0.2 and hacked in the eap-tls. I have since followed Ben Kenobi's
advice and "use the source". It appears to be sending packets to the
IAS box now, and I can cut the stuff out and use radclient and have IAS
respond, however it doesn't seem to be responding to the server
process. One step closer - miles away!
:)
Dan Newcombe wrote:
Hi all. I've done my best to try and figure this out myself, but am
really stuck.
First the basics: An enterasys C2 switch setup to do 802.1x
authentication. This switch points to my freeradius server.
Attached to the swich is my XP notebook, which is setup to do 802.1x
via PEAP. On the back end is a Win2k3 server which is running IAS.
The idea is to have all the network switches send the authentication
requests to the freeradius server, which will then decide if it needs
to go to the windows box (for staff) or a different box (for
students). Also, the Win2k3 IAS server has a limit of 50 clients
unless you scale up to the advanced server, which I find just sad that
they have done this.
Anyway, I have tested from the freeradius box to the IAS box using
radtest, and everything is working, so I am being seen as a client.
The problem is when I try and have the notebook authenticate. I
see rlm_eap: Request is supposed to be proxied to Realm NULL. Not
doing EAP.
in the debug output, which I gather is normal, but somehow part of the
problem. Basically, the IAS server seems to ignore whatever is
coming across from the freeradius box. My (uneducated) guess is
that this is because it has the EAP parms in it, but is not eap???
However, a normal "clear-text" attempt via radtest works fine.
I have found this post by Alan DeKok -
http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/26170 which
sounds very similar to what I am doing
First, configure the server to terminate the tunnel, and
authenticate the inner session locally. Once that works, configure
the server to proxy the inner session only.
I guess where I am really lost is how to follow the above suggestion.
This is what it is sending to the IAS box, which is being ignored.
Sending Access-Request of id 1 to 172.25.8.114:1812
User-Name = "CCSU\\dan"
Called-Station-Id = "00-11-88-12-6e-70"
Calling-Station-Id = "00-0f-1f-43-c8-38"
NAS-Identifier = "00-11-88-12-6e-5d"
NAS-IP-Address = 172.25.7.11
NAS-Port = 19
Framed-MTU = 1500
NAS-Port-Type = Ethernet
EAP-Message = 0x0202001201434353555c646e6577636f6d63
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3432
Thanks for any help...I'm really stuck on this part!
-Dan
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
