> Fred MAISON wrote: > > Yes, JUAC is an inner EAP protocol, inside ttls or peap. > > Then you should be able to proxy it by just proxying the inner tunnel > data. > Yes, how can I do that ? May I activate proxy-inner-tunnel site along with inner-tunnel site ? EAP-JUAC EAP-Type seems to be 254. May this help along with ignore unknown eap type flag ?
> > I have proposed to replace SteelBelted by freeradius, and I succeed to > > pass initial testings, but my current setup was without inner-tunnel > > modules correctly configured, which makes there is a lot of unneeded > > ldap access (anonymous identities which does not exist in ldap backend > > and so on ...) and impossibility to configure seperately outer and inner > > (when present) author/authent ... > > I don't know what you mean by that. It shouldn't be much of a problem > to configure it. > > > I think I did not gave you enough information : > > * All NAS point to freeradius > > * All EAP protos without inner tunnel must be authenticated by > > freeradius using a ldap backend (I found existing devices on able to do > > EAP-LEAP for example, but may be there is some other insecure eap types) > > Uh... don't use LEAP. Use TTLS or PEAP. > I agree with you. And the main goal of the current setup is to catch enough information to force user/workstations migration to TTLS when possible ; some devices will remain on LEAP since they seems to be hardcoded to do LEAP and only LEAP ... > > * juac is an innner protocol, it can be EAP-TTLS/EAP-JUAC or > > EAP-PEAP/EAP-JUAC (outer/inner) > > * for all other tunneled EAP-TTLS/* or EAP-EAP/*, I have to validate > > inner identity against ldap for authorize (ldap radiusgroupname > > membership) and authenticate (most common seems to be mschapv2 using > > ntpassword recovered in ldap during authorize). outer identity will not > > be checked because of encoutered client-side configuration > > inconsistencies. > > So... figure out who's supposed to do EAP-JUAC, Yes, but based on what ? I currently use a real, but this can be changed by end-user to bypass JUAC host checking capabilities ... > and proxy them. > Authenticate everyone else inside of the tunnel. Yes, it's what I need, but I don't fully master how to do that. May be the first point related to enable site proxy-inner-tunnel ? If so, it seem to be very unselective (I meen ALL protocols doing inner-tunnel will be proxied to UAC, leaving only EAP-LEAP on freeradius. This could be a good solution for me. Best regards Fred MAISON > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html