Re: [RADIATOR] EAP-TTLS: How to forward inner requests to different backends depending on the inner authentication?

Tue, 14 Jan 2020 03:28:00 -0800 

On 13/01/2020 16.14, Matti Saarinen wrote:


We have some clients that use EAP-TTLS+PAP and others that use
EAP-TTLS+MSCHAPv2. So far, RADIATOR has stripped of the EAP-TTLS and
forwarded the inner requests to Windows RADIUS servers and everything
has worked. Now, the Widows admins want to drop PAP support and I would
need to configure RADIATOR to forward PAP requests to different backend.


My suggestion is this:

<Handler TunnelledByTTLS=1, ExistsInRequest=EAP-Message>
  # Send EAP to Windows
</Handler>

<Handler TunnelledByTTLS=1>
  # Handle non-EAP here
</Handler>


Check item ExistsInRequest is new in Radiator 4.24. It matches if the 
named attribute is present in the request.



With older Radiators this was typically handled with something like 
EAP-Message=/.+/. The new check item was added for cases where we 
actually are not interested in an attribute's contents but only if it's 
present or not.



Related to PAP part of your config, you may want to use 'Asynchronous' 
instead of 'Synchronous'. This makes proxy AuthBys to work more like 
other AuthBys: a result evaluated by AuthByPolicy is only returned when 
a reply is received. In other words, when Asynchronous flag parameter is 
set, the AuthBy does not return immediately with IGNORE after sending 
the request.



While a reply is waited for, other requests are processed. If there's no 
reply, it returns with IGNORE after the configured timeout. This 
provides the functionality of 'Synchronous' flag without blocking that 
'Synchronous' does.



The latests updates and fixes to Asynchronous were done in 4.21 and it's 
been available since 4.17.


Thanks,
Heikki

--
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator






















					Reply via email to