Re: Config for proxying based on auth-protocol
On 10/05/2011 12:54 PM, Alan DeKok wrote: Nitin Bhardwaj wrote: I want to configure FreeRADIUS to do the following two things: (1) Handle tunnel for PEAP authentication requested by any supplicant(s), and do mschapv2 auth with another RADIUS server. (Irrespective of the realm in the user-name) (2) Transparently proxy all other non-PEAP requests to another RADIUS server (like LEAP, EAP-FAST etc etc). ( Again, Irrespective of the realm in the user-name). That's impossible. By the time the server discovers that the client is using a particular EAP method, the EAP session has started, and it's impossible to proxy it to another RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks a lot Alan for the insight. -- Nitin Bhardwaj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for proxying based on auth-protocol
Nitin Bhardwaj wrote: > I want to configure FreeRADIUS to do the following two things: > > (1) Handle tunnel for PEAP authentication requested by any supplicant(s), > and do mschapv2 auth with another RADIUS server. (Irrespective of > the realm in the user-name) > > (2) Transparently proxy all other non-PEAP requests to another RADIUS > server (like LEAP, EAP-FAST etc etc). > ( Again, Irrespective of the realm in the user-name). That's impossible. By the time the server discovers that the client is using a particular EAP method, the EAP session has started, and it's impossible to proxy it to another RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config for proxying based on auth-protocol
Hello , I want to configure FreeRADIUS to do the following two things: (1) Handle tunnel for PEAP authentication requested by any supplicant(s), and do mschapv2 auth with another RADIUS server. (Irrespective of the realm in the user-name) (2) Transparently proxy all other non-PEAP requests to another RADIUS server (like LEAP, EAP-FAST etc etc). ( Again, Irrespective of the realm in the user-name). My config for (1) is already working (eap.conf below) and FreeRADIUS is properly doing ms-chapv2 auth with another RADIUS server. However, I tried many changes in config, but could not configure it to do (2). FreeRADIUS itself tries to handle LEAP and EAP-FAST requests. Please guide me in configuring FreeRADIUS for (2) above. My eap.conf: eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 2048 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${certdir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } leap { } mschapv2 { } } -- //Nitin Bhardwaj|//**//** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html