I can't believe it. We had a line in our hints file that was totally
screwing us up -- I had no idea it was there until just now:
DEFAULT Prefix == "anonymous", Strip-User-Name = No
Realm = "LOCAL"
This is why I couldn't understand what you guys were talking about,
since we always use anonymous as our outer-identity for TLS type
connections, I could not for the life of me figure out why adding a
server to the proxy.conf would ever work. Is it possible to select
based on EAP-type (i.e. if TTLS, do LOCAL authentication?) Right not we
are doing it based on prefix/suffix.
Regardless, I think we have this solved now. This problem was way
easier than we thought once we got a grasp on all of the processing we
were doing. Argh! Thank you Ivan & Alan for pointing us in the right
direction.
Sincerely,
Max
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
What we are wondering is if its possible to still have requests come
through to our freeradius box, and instead of providing the certificate
and proxying the contents of the inner tunnel to the AD box.. if its
possible to simply proxy the entire request, PEAP/MSCHAP and all
directly to their AD servers? They are hesitant to allow our freeradius
box to join the domain, and if its doable, a workaround would be the
preferred route.
yes, sure you can - they'll have to run IAS or NPS (ad2003 or ad2008 etc)
and then you simply proxy the whole shaboodle off to them to deal with
- then you dont need to play around with ntlm_auth etc etc. of course,
they'll have to put required certs onto their auth system but thats a minor
issue.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html