RE: terminate eap-ttls
> >>> What I really need to do is proxy the inner message to another
> >>> Radius server which will do the authentication but I cannot get this
> >>> to work. Whatever I try, I always see an EAP-Message avp heading off
> >>> to the remote server. I have looked at the proxy-inner-tunnel
> >>> virtual server but am unsure how to use it.
> >
> >> This *is* proxying the inner tunnel; the inner tunnel auth is also
> >> EAP, and you're sending it to the remote server.
> >
> > Thanks, this is NOT what I want to do. I want to send the inner
> > message, not the tunnel and do PAP on the remote server.
> You can only do PAP on the remote server if your inner auth method was PAP.
> Basically, this means EAP-TTLS/PAP.
> Doing that is simple:
> server inner-tunnel {
> authorize {
> update control {
> Proxy-To-Realm := THEREALM
> }
> }
> }
> If this isn't working, send a debug from "radiusd -X"
Many thanks Phil, that now works a treat.
For other folks, the main trip up I had was the eapol config. Originally I had:
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="testpassword"
ca_cert="/home/carla/ca.pem"
phase2="auth=TTLS"
}
As per the original page, but I really needed:
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="testpassword"
ca_cert="/home/carla/ca.pem"
phase2="auth=PAP"
}
The "phase2" indicating the "inner" protocol. Obvious when you know!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
On 19/06/13 14:54, adrian.p.sm...@bt.com wrote:
What I really need to do is proxy the inner message to another
Radius server which will do the authentication but I cannot get
this to work. Whatever I try, I always see an EAP-Message avp
heading off to the remote server. I have looked at the
proxy-inner-tunnel virtual server but am unsure how to use it.
This *is* proxying the inner tunnel; the inner tunnel auth is also
EAP, and you're sending it to the remote server.
Thanks, this is NOT what I want to do. I want to send the inner
message, not the tunnel and do PAP on the remote server.
You can only do PAP on the remote server if your inner auth method was
PAP. Basically, this means EAP-TTLS/PAP.
Doing that is simple:
server inner-tunnel {
authorize {
update control {
Proxy-To-Realm := THEREALM
}
}
}
If this isn't working, send a debug from "radiusd -X"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
Hi, > >This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and > >you're sending it to the remote server. > > Thanks, this is NOT what I want to do. I want to send the inner message, not > the tunnel and do PAP on the remote server. okay. so you need to start by terminating the EAP on your server...so you need the current out of the box configuration and use the inner-tunnel...but then you want to then proxy the PAP authentication - that would be done with some 'update control' unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminate eap-ttls
>> What I really need to do is proxy the inner message to another Radius >> server which will do the authentication but I cannot get this to work. >> Whatever I try, I always see an EAP-Message avp heading off to the >> remote server. I have looked at the proxy-inner-tunnel virtual server >> but am unsure how to use it. >This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and >you're sending it to the remote server. Thanks, this is NOT what I want to do. I want to send the inner message, not the tunnel and do PAP on the remote server. >If the remote server doesn't support EAP, you will need to investigate the: > proxy_tunneled_request_as_eap >...option in eap.conf. This is set on the outer EAP type (peap or ttls) Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: terminate eap-ttls
>>I have managed to setup a simple test using eapol_test as per >> >> http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-wi >> th-FreeRADIUS >thats a rather old...and random URL. why not look at official docs? I'd be glad to. Please direct me to some that explain how to do this. >>What I really need to do is proxy the inner message to another Radius >>server which will do the authentication but I cannot get this to work. >>Whatever I try, I always see an EAP-Message avp heading off to the remote >>server. I have looked at the proxy-inner-tunnel virtual server but am >>unsure how to use it. >tell EAP to send the message to somewhere else other than inner-tunnel virtual >server the inner-tunnel virtual server is a local instance you need to >proxyso define a remote pool >as per proxy.conf examples I'm probably confusing my terminology, apologies. What I'm trying to do is get FreeRadius to extract the lowest level Radius message from inside all those tunnels and send it on to an already defined proxy home server. I have the realm defined and, if I send a simple radtest request I get an access-accept from the downstream server. What I want to do is be able to send in an EAP-TTLS request using eapol_test and have the same result. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
On 19/06/13 13:28, adrian.p.sm...@bt.com wrote: What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and you're sending it to the remote server. If the remote server doesn't support EAP, you will need to investigate the: proxy_tunneled_request_as_eap ...option in eap.conf. This is set on the outer EAP type (peap or ttls) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: terminate eap-ttls
Hi, >I have managed to setup a simple test using eapol_test as per > > http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS thats a rather old...and random URL. why not look at official docs? >and it all works as described except that I have to use ca.pem instead of >server.pem. I think this might be because the example uses an older >version of FreeRadius? yes, ca_cert="/home/carla/server.pem" is wrong. thats basically checking the RADIUS server cert..not the CAeapol_test wants to verify the CA with that config option. >What I really need to do is proxy the inner message to another Radius >server which will do the authentication but I cannot get this to work. >Whatever I try, I always see an EAP-Message avp heading off to the remote >server. I have looked at the proxy-inner-tunnel virtual server but am >unsure how to use it. tell EAP to send the message to somewhere else other than inner-tunnel virtual server the inner-tunnel virtual server is a local instance you need to proxyso define a remote pool as per proxy.conf examples alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
terminate eap-ttls
I have managed to setup a simple test using eapol_test as per http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS and it all works as described except that I have to use ca.pem instead of server.pem. I think this might be because the example uses an older version of FreeRadius? What I really need to do is proxy the inner message to another Radius server which will do the authentication but I cannot get this to work. Whatever I try, I always see an EAP-Message avp heading off to the remote server. I have looked at the proxy-inner-tunnel virtual server but am unsure how to use it. Some simple steps would be appreciated. Many thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
