Think about upgrading to 2.0.1. You can then configure default home server to handle requests A and another virtual server to terminate TLS and proxy PAP requests to a remote home server.
I don't quite get this bit about encrypted requests. Radius packets *are* encrypted. Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, "Joakim Lindgren" <[EMAIL PROTECTED]> piše: >Hi all, thanks for your explanation earlier! > >I need your help with EAP-TTLS and PAP. I have earlier setup >EAP-PEAP/EAP-TTLS and EAP-TLS working OK! >I tried configuring the TTLS-PAP inner and outer tunnel but it will not work >(and yes I have searched the forum, as always ;-) > >Here are my explanation of what I´m trying to do: > >A. If an incoming user conn. against the FreeRadius Server (Nr1) is >belonging to "OTHER" (LOCAL) domain then >the EAP-TTLS tunnel is ended and validated against the LDAP. (And yes, I >didn´t name the server ;-) > >B. If an incoming user conn. against the FreeRadius Server (Nr1) is >belonging to "SECURSERVER" domain then >the EAP-TTLS tunnel is ended and PAP is proxied to other Radius (Nr 2). > >I have tried several different conf. and as best I see requests coming to >Radius Nr2 but the´re encrypted (Wireshark). >The config files looks like this (as for now, thanks in advance!): > >================================================================================================ >eap.conf >======== > > > > eap { > default_eap_type = ttls > timer_expire = 60 > ignore_unknown_eap_types = no > cisco_accounting_username_bug = no > md5 { > } > > > leap { > } > > > gtc { > > > auth_type = PAP > } > > > tls { > > private_key_password = password > private_key_file = >${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem > certificate_file = >${raddbdir}/certs/jaysCA2/osuse-freeradius/server_keycert.pem > CA_file = ${raddbdir}/certs/jaysCA2/cacert.pem > dh_file = ${raddbdir}/certs/dh > random_file = ${raddbdir}/certs/random > fragment_size = 1024 > include_length = yes > } > > ttls { > > default_eap_type = md5 > copy_request_to_tunnel = yes > use_tunneled_reply = yes > } > > peap { > > default_eap_type = mschapv2 > proxy_tunneled_request_as_eap = no > } > mschapv2 { > } > } >===END >EAP====================================================================================== > > > > > > >================================================ >users >======== >DEFAULT FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := >LOCAL >DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := >"SECURACCESS", Auth-Type := PAP >DEFAULT Auth-Type != LDAP >================================================ > > > > > >================================================ >Proxy.conf >======== >realm LOCAL { > type = radius > authhost = LOCAL > accthost = LOCAL >} > >realm SECURACCESS { > type = radius > authhost = 192.168.1.75:1812 > accthost = 192.168.1.75:1813 > secret = toor ># nostrip >} >================================================ > > > > > >================================================================================================ >radiusd.conf >======== > >.... >modules { > > pap { > auto_header = yes > } > > chap { > authtype = CHAP > } > > > pam { > pam_auth = radiusd > } > > > unix { > cache = no > cache_reload = 600 > radwtmp = ${logdir}/radwtmp > } > > >$INCLUDE ${confdir}/eap.conf > > > mschap { > use_mppe = yes > require_encryption = yes > require_strong = yes >} > > >ldap { > server = "192.168.1.71" > identity = "cn=admin,o=Contonso" > password = "toor" > basedn = "o=Contonso" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > start_tls = yes > tls_mode = no > tls_cacertfile = >/etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem > dictionary_mapping = ${raddbdir}/ldap.attrmap > ldap_connections_number = 5 > password_attribute = nspmPassword > tls_require_cert = "allow" > timeout = 4 > timelimit = 3 > net_timeout = 1 > port = 389 > edir_account_policy_check=yes >} > > > realm suffix { > format = suffix > delimiter = "@" > ignore_default = no > ignore_null = no > } > > > realm ntdomain { > format = prefix > delimiter = "\\" > ignore_default = no > ignore_null = no > } > > >.... > >authorize { > > preprocess > chap > mschap > suffix > ntdomain > eap > files > ldap > pap >} > > > >authenticate { > > Auth-Type PAP { > pap > } > > Auth-Type CHAP { > chap > } > Auth-Type MS-CHAP { > mschap > } > > unix > > Auth-Type LDAP { > ldap > } > eap >} > > >post-auth { > ldap > Post-Auth-Type REJECT { > ldap > } > >} > >===END >radiusd.conf================================================================================ > > > > > > >================================================ >clients.conf >======== >client 192.168.1.0/24 { > secret = toor > shortname = private-network-1 >} > >================================================ > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html