Re: proxy EAP/PAP ?

[Alan DeKok]

Tim Winders [EMAIL PROTECTED] wrote:
 So, now, if I am running a non-EAP aware radius on the Tru64, and freeradius
 on a Linux box proxying to the Tru64 box, will I be able to do EAP/PAP
 authentication?  I'm ready the proxy doc, but, I don't see anything about
 that, or if it's even applicable.

  For EAP-TTLS with tunneled PAP, you can do:

DEFAULTFreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := tru64

  And the inner session will be proxied.

  Alan Dekok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: proxy EAP/PAP ?

[Tim Winders]

I haven't heard from anyone, so, I have been doing A LOT of
experimentation...

So far, I have it working, but, it's a bit goofy.

I have freeradius-1.0.5 running on RedHat Linux using a default ./configure
and installation.

I modified the radiusd.conf/users/proxy.conf files to support eap/pap from a
Windows client, and proxying to my Tru64 box running Livingston radius.

I am using the SecureW2 3.1 supplicant for Windows XP.  I had to monkey
around with the outer settings.  I discovered that if using the default
anonymous outer identity that the realm in the user dialog box is sent with
the anonymous outer identity.

So, if I setup a NULL realm to proxy in freeradius, then anonymous would try
to be proxied to my Tru64 box and would always fail.

I setup a southplainscollege.edu realm to proxy and put in
[EMAIL PROTECTED] in the user credentials in SecureW2, but
then it would send [EMAIL PROTECTED] as the outer identity
and it would be proxied and fail.

Finally, I removed the NULL realm from proxying, and in the outer identity I
typed in anonymous, rather than using the default anonymous option.  In the
user credentials, I put in [EMAIL PROTECTED]  With this
setup, anonymous would be sent, no NULL realm would be found and it would be
authenticated against freeradius properly as an EAP session.  It would then
strip southplainscollege.edu from my user credentials and proxy that to the
Tru64 box and it would be authenticated.

So, after MUCH monkeying around, I have this working.

Is the sending of the realm with the default anonymous outer identity the
expected behavior?  Should I ask the SecureW2 group about the behaviour I am
seeing?

Hope this helps someone else.  Thanks!

---

Tim Winders
Associate Dean of Information Technology
South Plains College
Levelland, TX 79336 

Problem replying to my email?  Click the Sign button in the OE toolbar or,
better yet, get your own FREE Personal E-Mail Digital ID:
http://www.thawte.com/email/index.html 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On 
 Behalf Of Tim Winders
 Sent: Tuesday, September 20, 2005 2:41 PM
 To: freeradius-users@lists.freeradius.org
 Subject: proxy EAP/PAP ?
 
 Hello All -
 
 As I can't seem to get freeradius working on my Tru64 box and 
 my box seems
 to be broken I thought I'd try to install freeradius on a 
 RHEL box and use
 the fr proxy feature to proxy back to my Tru64 box running 
 the Livinginston
 Radius server.
 
 My question, I want to be able to authenticate against the 
 Tru64 passwd user
 database from a Windows client connected to a wireless AP running WPA.
 
 When I had a working fr on the Tru64 box, I was able to use 
 the SecureW2
 supplicant on XP with EAP/PAP to authenticate against passwd 
 and it worked
 great.
 
 So, now, if I am running a non-EAP aware radius on the Tru64, 
 and freeradius
 on a Linux box proxying to the Tru64 box, will I be able to do EAP/PAP
 authentication?  I'm ready the proxy doc, but, I don't see 
 anything about
 that, or if it's even applicable.
 
 ---
 
 Tim Winders
 Associate Dean of Information Technology
 South Plains College
 Levelland, TX 79336 
 
 Problem replying to my email?  Click the Sign button in the 
 OE toolbar or,
 better yet, get your own FREE Personal E-Mail Digital ID:
 http://www.thawte.com/email/index.html
 
BEGIN:VCARD
VERSION:2.1
N:Winders;Tim
FN:Tim Winders
ORG:South Plains College
TITLE:Associate Dean of Information Technology
TEL;WORK;VOICE:(806) 894-9611 x2369
ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America
KEY;X509;ENCODING=BASE64:
MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5
MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW
H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5
u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g
eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k
ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s
z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa
mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg==


EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20050112T232001Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy EAP/PAP ?

[Tim Winders]

Hello All -

As I can't seem to get freeradius working on my Tru64 box and my box seems
to be broken I thought I'd try to install freeradius on a RHEL box and use
the fr proxy feature to proxy back to my Tru64 box running the Livinginston
Radius server.

My question, I want to be able to authenticate against the Tru64 passwd user
database from a Windows client connected to a wireless AP running WPA.

When I had a working fr on the Tru64 box, I was able to use the SecureW2
supplicant on XP with EAP/PAP to authenticate against passwd and it worked
great.

So, now, if I am running a non-EAP aware radius on the Tru64, and freeradius
on a Linux box proxying to the Tru64 box, will I be able to do EAP/PAP
authentication?  I'm ready the proxy doc, but, I don't see anything about
that, or if it's even applicable.

---

Tim Winders
Associate Dean of Information Technology
South Plains College
Levelland, TX 79336 

Problem replying to my email?  Click the Sign button in the OE toolbar or,
better yet, get your own FREE Personal E-Mail Digital ID:
http://www.thawte.com/email/index.html
BEGIN:VCARD
VERSION:2.1
N:Winders;Tim
FN:Tim Winders
ORG:South Plains College
TITLE:Associate Dean of Information Technology
TEL;WORK;VOICE:(806) 894-9611 x2369
ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America
KEY;X509;ENCODING=BASE64:
MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5
MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW
H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5
u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g
eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k
ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s
z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa
mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg==


EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20050112T232001Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html