Arran Cudbard-Bell wrote:
>> I'm not sure why that matters. the *NAS* sets User-Name in the
>> Access-Request. The proxying server doesn't have to do anything.
>
> Well it needs to be able to read an identity of *some* kind, else how
> would it know where to proxy the packets to .
The NAS
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> And indeed as the RFC states, the User-Identity needs to be set in the
>> access requests for none EAP aware proxies. I suspect FreeRADIUS may
>> count as one of these, as for all intensive purposes as it provides no
>> mechanism to proxy arbitrar
Alan,
> > I do not want to terminate the EAP tunnels for the foreign realms, but I
> > have to terminate the local one (@tu-darmstadt.de and NULL) as I have to
> > forward the requests to a set of internal radius servers not capable of
> > speaking EAP.
>
> Set Proxy-To-Realm := LOCAL for the r
Arran Cudbard-Bell wrote:
> And indeed as the RFC states, the User-Identity needs to be set in the
> access requests for none EAP aware proxies. I suspect FreeRADIUS may
> count as one of these, as for all intensive purposes as it provides no
> mechanism to proxy arbitrary segments of an EAP con
> > Nope; see RFC 3579 for the gory details:
> >
> > "the NAS MUST copy the contents of the Type-Data field of the
> > EAP-Response/Identity received from the peer into the User-Name
> > attribute"
> >
>
> See thats what I suspected, else how could the User-Name
> attribute be populated in th
Josh Howlett wrote:
> Gah, my message bounced owing to change of email address...
>
> Arran wrote:
>> Can you clear something up for me with inner/outer identity.
>> The outer identity is in the User-Name attribute , it's a standard
>> RADIUS attribute... Inner identity is encoded in the EAP mes
Gah, my message bounced owing to change of email address...
Arran wrote:
> Can you clear something up for me with inner/outer identity.
> The outer identity is in the User-Name attribute , it's a standard
> RADIUS attribute... Inner identity is encoded in the EAP message, and
> is pulled out by
>
> Can you clear something up for me with inner/outer identity. The outer
> identity is in the User-Name attribute , it's a standard RADIUS
yep
> attribute... Inner identity is encoded in the EAP message, and is pulled
yep
> out by the EAP module prior to internal proxying and set as the
Arran Cudbard-Bell wrote:
...
>> It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
>> and proxy the inner EAP-MSCHAPv2 session as plain MS-CHAPv2.
>>
> Ah cool, thats actually really useful . Does only one packet need to be
> proxied per EAP authentication ?
Yes.
Ala
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>
>> I was just looking at the protocol filters, they look interesting and
>> will make a lot of people on the list happy ...
>>
>
> rlm_protocol_filter? I put that in 2 years ago, and I didn't think
> anyone was using it...
>
>
Well it's
Arran Cudbard-Bell wrote:
> I was just looking at the protocol filters, they look interesting and
> will make a lot of people on the list happy ...
rlm_protocol_filter? I put that in 2 years ago, and I didn't think
anyone was using it...
> Just finished building on my 32bit machine and ..
>
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>
>> So the eap module extracts the attributes encoded in the eap message ? I
>> can see that working for EAP GTC and EAP PAP but not MschapV2 ?
>>
>
> It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
> and proxy the inne
Arran Cudbard-Bell wrote:
> So the eap module extracts the attributes encoded in the eap message ? I
> can see that working for EAP GTC and EAP PAP but not MschapV2 ?
It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
and proxy the inner EAP-MSCHAPv2 session as plain MS-CHAPv
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>
>> So the eap module extracts the attributes encoded in the eap message ? I
>> can see that working for EAP GTC and EAP PAP but not MschapV2 ?
>>
>
> It works for GTC, PAP, and MS-CHAPv2. The server can terminate PEAP,
> and proxy the inne
Alan DeKok wrote:
> Andreas Liebe wrote:
>
>> I do not want to terminate the EAP tunnels for the foreign realms, but I
>> have to terminate the local one (@tu-darmstadt.de and NULL) as I have to
>> forward the requests to a set of internal radius servers not capable of
>> speaking EAP.
>>
>
Andreas Liebe wrote:
> I do not want to terminate the EAP tunnels for the foreign realms, but I
> have to terminate the local one (@tu-darmstadt.de and NULL) as I have to
> forward the requests to a set of internal radius servers not capable of
> speaking EAP.
Set Proxy-To-Realm := LOCAL for the
Andreas Liebe wrote:
> Hi Helmut,
>
>
>>> Is there a way to terminate the EAP regardless of the outer identity?
>>>
>>>
>> why do you want this. The EAP Tunnel should terminate on the last
>> RADIUS where the user belongs. On your RADIUS only the EAP-Tunnels for
>> your users should be te
Hi Helmut,
> > Is there a way to terminate the EAP regardless of the outer identity?
> >
>
> why do you want this. The EAP Tunnel should terminate on the last
> RADIUS where the user belongs. On your RADIUS only the EAP-Tunnels for
> your users should be terminating.
I do not want to terminate
Hello Andreas,
>
> No we want to participate in inter University roaming (eduroam) and thus
> have to proxy some requests a parent server. Everything works great
> except regarding the outer identity.
>
> If it's just "anonymous" everything is ok, but if it's
> "anonymous@" and is configured in
Hi all,
we're using FreeRadius 1.1.6 to give access to our WLAN with EAP-TTLS.
Worked great so far.
No we want to participate in inter University roaming (eduroam) and thus
have to proxy some requests a parent server. Everything works great
except regarding the outer identity.
If it's just "anon
I'm using a freeradius server to identify proxies to about 3 other RADIUS
servers.
One of them happens to be a freeradius server. When it puts the acct
information in the DB (on both the proxyied and proxying, it just puts in
DEFAULT as the realm, though it got proxyied via realm "theisp.com".
Wher
21 matches
Mail list logo