Josh Richard wrote: > What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless > SSID hook into the FR server above.
OK... > The FR server currently is using rlm_perl to handle authentication and Please, no. Authentication includes things like EAP. Doing EAP in Perl is not a good idea. > I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius > to proxy the lookup to a different production FR server containing the > set of all users. Neat. Uh... that is an incredibly bad idea. FreeRADIUS already does proxying. Why do it in Perl? You're going to get it wrong. > When the SSID is wired in, we see this: > > [peap] Got inner identity 'jrichar4' > # Executing section authorize from file > /etc/freeradius/sites-enabled/inner-tunnel > rlm_perl: Added pair User-Name = jrichar4 > rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61 > rlm_perl: Added pair EAP-Type = Identity > rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 > rlm_perl: Added pair Crypt-Password = * > rlm_perl: Added pair Auth-Type = EAP > rlm_perl: Added pair Proxy-To-Realm = LOCAL > rlm_perl: Added pair EAP-Type = MS-CHAP-V2 > > I would prefer the use Auth-Type = Perl in the EAP inner tunnel. Is > this possible? Yes. See raddb/sites-enabled/inner-tunnel > Do I need to overload anything in eap.conf? No. But in general, this is a terrible idea. FreeRADIUS has proxying and DB plugins. Redoing all of that in Perl is asking for un-needed complexity. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html