Joakim You could certainly do this with EAP-TTLS/PAP. I know because I've done it myself in a previous job.
It's quite simple really. You have the outer authentication using one realm (possibly the null realm and using the name 'anonymous'). In the inner authentication, you use another realm that is proxied by the FreeRADIUS server to the remote server supporting PAP. I've done exactly this with CryptoCARD servers and with Vasco servers. You may need to strip the decoration from the username before forwarding the PAP authentication request to the back end server. e.g. [EMAIL PROTECTED] might need to be reduced to just guyd before that username would be correctly authenticated by the backend server. Rgds, Guy On 31/01/2008, Joakim Lindgren <[EMAIL PROTECTED]> wrote: > Hi all (and really thanks to Alan DeKok), > > I have a complete EAP-PEAP/TLS/TTLS configuration working against FreeRadius > and IAS. > A software I´m using is offering two factor authentication and they got > their own Radius who only supports PAP. > > Is it possible to terminate the client EAP connection at the FreeRadius > proxy and forward the request as a PAP to > the software vendors own Radius. > > In that case it works, briefly how do I do? > > Thanks all! > (Im going to buy Alan DeKok coming FreeRadius book ;-) > > Sincerely Joakim > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
