Re: Proxy EAP - TLS Nesting.
brisston...@free.fr wrote: > I have to proxy all authentication request to virtual server (not just PEAP). > We > have differents kind of internals users (student, staff, guest, ...). Each of > them is managed by one virtual server associated to one realm, example : for > the > student : So... are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? > I can only specify one IP adresse and one port in NAS configuration (wired > dot1x > and wireless network) and I will use the proxy port (1812). > > Maybe there is another method to do that... But I think that use a proxy is > the > best way. You've described your configuration at a *very* high level. I still have no idea what you're trying to do, or what is actually happening in your system. Perhaps explaining things in detail would help, or showing the output of debug mode as suggested in the FAQ, README, INSTALL, "man" page, web page, configuration files, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
Hi thanks for your reply. I have to proxy all authentication request to virtual server (not just PEAP). We have differents kind of internals users (student, staff, guest, ...). Each of them is managed by one virtual server associated to one realm, example : for the student : realm student.university.fr { virtual_server = student } server student { } I can only specify one IP adresse and one port in NAS configuration (wired dot1x and wireless network) and I will use the proxy port (1812). Maybe there is another method to do that... But I think that use a proxy is the best way. Selon Alan DeKok : > brisston...@free.fr wrote: > > I have some troubles to proxy PEAP requests to (internal) virtual server : > > I have one proxy server (with realms define in proxy.conf file) that > forward the > > request internally to a virtual server define in site-enabled directory. > > Why is there a need to proxy the PEAP packets? > > > For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication > is > > successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this > > error message : "Multiple levels of TLS nesting is invalid". > > Deleting all of the other messages doesn't help. > > Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy EAP - TLS Nesting.
brisston...@free.fr wrote: > I have some troubles to proxy PEAP requests to (internal) virtual server : > I have one proxy server (with realms define in proxy.conf file) that forward > the > request internally to a virtual server define in site-enabled directory. Why is there a need to proxy the PEAP packets? > For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is > successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this > error message : "Multiple levels of TLS nesting is invalid". Deleting all of the other messages doesn't help. Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy EAP - TLS Nesting.
Hi everyone, I have some troubles to proxy PEAP requests to (internal) virtual server : I have one proxy server (with realms define in proxy.conf file) that forward the request internally to a virtual server define in site-enabled directory. For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this error message : "Multiple levels of TLS nesting is invalid". In my proxy.conf I have this lines : realms university.fr { virtual_server = my-virtual-server nostrip } I specify that the request is well forwarded to the virtual server. I made some tests. If I change my proxy.conf like this : home_server localhost { port=2812 type=auth ipaddr=127.0.0.1 secret=** ... } home_server_pool my-pool { home_server = localhost type=fail-over } realms university.fr { auth_pool= my-pool nostrip } -> Everything works correctly. Someone had an idea? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html