On Thu, 2007-09-13 at 02:56 -0700, fuki wrote: > > > Phil Mayers wrote: > > > > On Thu, 2007-09-13 at 01:25 -0700, fuki wrote: > > > > You can certainly terminate the PEAP and still proxy the inner > > EAP-MSCHAP to another radius server; however as far as I am aware, > > FreeRadius doesn't yet have support for the various health state > > attributes, or for that matter >1 set of data inside the PEAP tunnel. > > > > In particular if you are talking about the Vista built-in health check > > packets, that uses PEAPv2 which FreeRadius doesn't support, and you > > won't be able to terminate. > > > > Yes I'm talking about the Vista build-in health check packets. I used a > packet sniffer to analyze the submitted packets and compared them with the > PEAPv2 specification > (http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10#page-11, > 2.1.4. Version Negotiation). According the specification PEAP v0 is used by > Vista, so it should be possible to use FreeRadius as proxy to decrypt the > packages, to analyze the health state (has to be implemented) and to proxy > the inner > EAP-MSCHAP to another radius server? >
Provided FreeRadius can parse the PEAP contents (which it can't) then yes, sending the inner EAP-MSCHAP to another server is easy: DEFAULT FreeRadius-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
