[EMAIL PROTECTED] wrote: > Well, while I have to agree, that it is not generally possible, it > seems like EAP-MD5 could be translated to a plain CHAP > authentication, EAP-GTC could be translated to plain PAP password > transfer,
Probably, with some weird hacks. > but unless I'm missing something, it should be possible to > implement such translations, shouldn't it? Theoretically. > > If you're using EAP-TTLS, then the tunneled session is often just > > normal non-EAP authentication, and that can be proxied. > > (and I suppose the same applies more or less to PEAP?) No. PEAP tunnels EAP, and only EAP. > So, out of the popular EAP protocols, EAP-TLS is the only one, > which really can't be proxied at all, unless I'm missing something. Uh, no. *all* EAP methods can be proxied. The original question you quoted was: > > > Is it possible to forward authentification of the user to > another proxy, > > > that does not support eap? If the user is using EAP, and the home server doesn't support EAP, then it's obvious that proxying EAP won't work. But this is because the home server doesn't understand EAP, not because proxying EAP doesn't work. If the home server supports EAP, proxying EAP works fine. > Anyway, for a first try I'd be very happy with being able to forward > whatever normal non-EAP authentication is used inside EAP-TTLS > to my old RADIUS server which doesn't support EAP. Is that currently > possible without hacking the source? Yes. See the list archives for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
