Fred MAISON wrote: > Yes, JUAC is an inner EAP protocol, inside ttls or peap.
Then you should be able to proxy it by just proxying the inner tunnel data. > I have proposed to replace SteelBelted by freeradius, and I succeed to > pass initial testings, but my current setup was without inner-tunnel > modules correctly configured, which makes there is a lot of unneeded > ldap access (anonymous identities which does not exist in ldap backend > and so on ...) and impossibility to configure seperately outer and inner > (when present) author/authent ... I don't know what you mean by that. It shouldn't be much of a problem to configure it. > I think I did not gave you enough information : > * All NAS point to freeradius > * All EAP protos without inner tunnel must be authenticated by > freeradius using a ldap backend (I found existing devices on able to do > EAP-LEAP for example, but may be there is some other insecure eap types) Uh... don't use LEAP. Use TTLS or PEAP. > * juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or > EAP-PEAP/EAP-JUAC (outer/inner) > * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate > inner identity against ldap for authorize (ldap radiusgroupname > membership) and authenticate (most common seems to be mschapv2 using > ntpassword recovered in ldap during authorize). outer identity will not > be checked because of encoutered client-side configuration > inconsistencies. So... figure out who's supposed to do EAP-JUAC, and proxy them. Authenticate everyone else inside of the tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html