Re: Config for proxying based on auth-protocol
On 10/05/2011 12:54 PM, Alan DeKok wrote: Nitin Bhardwaj wrote: I want to configure FreeRADIUS to do the following two things: (1) Handle tunnel for PEAP authentication requested by any supplicant(s), and do mschapv2 auth with another RADIUS server. (Irrespective of the realm in the user-name) (2) Transparently proxy all other non-PEAP requests to another RADIUS server (like LEAP, EAP-FAST etc etc). ( Again, Irrespective of the realm in the user-name). That's impossible. By the time the server discovers that the client is using a particular EAP method, the EAP session has started, and it's impossible to proxy it to another RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks a lot Alan for the insight. -- Nitin Bhardwaj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for proxying based on auth-protocol
Nitin Bhardwaj wrote: > I want to configure FreeRADIUS to do the following two things: > > (1) Handle tunnel for PEAP authentication requested by any supplicant(s), > and do mschapv2 auth with another RADIUS server. (Irrespective of > the realm in the user-name) > > (2) Transparently proxy all other non-PEAP requests to another RADIUS > server (like LEAP, EAP-FAST etc etc). > ( Again, Irrespective of the realm in the user-name). That's impossible. By the time the server discovers that the client is using a particular EAP method, the EAP session has started, and it's impossible to proxy it to another RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config for proxying based on auth-protocol
Hello ,
I want to configure FreeRADIUS to do the following two things:
(1) Handle tunnel for PEAP authentication requested by any supplicant(s),
and do mschapv2 auth with another RADIUS server. (Irrespective
of the realm in the user-name)
(2) Transparently proxy all other non-PEAP requests to another RADIUS
server (like LEAP, EAP-FAST etc etc).
( Again, Irrespective of the realm in the user-name).
My config for (1) is already working (eap.conf below) and FreeRADIUS is
properly doing
ms-chapv2 auth with another RADIUS server. However, I tried many changes
in config, but could not
configure it to do (2). FreeRADIUS itself tries to handle LEAP and
EAP-FAST requests.
Please guide me in configuring FreeRADIUS for (2) above.
My eap.conf:
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${certdir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
leap {
}
mschapv2 {
}
}
--
//Nitin Bhardwaj|//**//**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
