Alan DeKok wrote:
>
> "Laurent Butti" <[EMAIL PROTECTED]> wrote:
> > Does FreeRadius support (or will support) proxying for EAP
> > authentication methods (MD5/TLS), with a kind of user@realm in EAP
> > Response Identity which should be used in order to delegate
> > authentication to a 3rd party AAA ?
>
> I don't think so. The EAP 'username' is encapsulated in a RADIUS
> EAP-Message attribute, and it's difficult to get at.
>
> Alan DeKok.
Alan, I have a question regarding that:
in the RFC 2869 chapter 2.3.1 they say:
In order to permit non-EAP aware RADIUS proxies to forward the
Access-Request packet, if the NAS sends the EAP-Request/Identity, the
NAS MUST copy the contents of the EAP-Response/Identity into the
User-Name attribute and MUST include the EAP-Response/Identity in the
User-Name attribute in every subsequent Access-Request. NAS-Port or
NAS-Port-Id SHOULD be included in the attributes issued by the NAS in
the Access-Request packet, and either NAS-Identifier or NAS-IP-
Address MUST be included. In order to permit forwarding of the
Access-Reply by EAP-unaware proxies, if a User-Name attribute was
included in an Access-Request, the RADIUS Server MUST include the
User-Name attribute in subsequent Access-Accept packets. Without the
User-Name attribute, accounting and billing becomes very difficult to
manage.
i took a look at the traffic coming from my NAS to the server and I
couldn't find any of such additions to the user-name attribute. do i
missunderstand something (ethereal 0.9.4) or is my NAS a crap?
except for that, I believe to recall to have read in the RADIUS RFC
(2865) that a proxy should never cut an Attribute-Value pair and that it
should copy it into whatever it forwards. i think it was in the Proxy
chapter of the RFC 2865 but i wouldn't put my shirt on it. Instead I
would like to know what freeRadius does when proxying an unknown
attribute.
and finally I believe that one of these remarks should respond to the
original question, i.e. if EAP and proxying (will) work together with
freeradius or not. because in fact I didn't understand your answer,
Alan. was it a "no" like "no, it will never support it" or a "no" like
"no, not in EAP response identity"?
sorry for bothering,
artur
--
Artur Hecker Groupe Acc�s et Mobilit�
hecker[at]enst[dot]fr D�partement Informatique et R�seaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
