(RADIATOR) Forwarding EAP-PEAP to another Radius server

Mike McCauley mikem at open.com.au
Thu Feb 26 16:36:27 CST 2004 

Hello Franck,

On Thu, 26 Feb 2004 11:53 pm, Franck Villien wrote:
> Hi,
>
> Just starting with Radiator ,and no answer found in archive mailing list
> about How to forward an PEAP request sent by a WXP SP1 through an Cisco AP
> to a standard Radius server. (which does not support PEAP).

There is currently no way I know of to extract the authentication from PEAP 
and forward it to a non-EAP server.

The best you could hope for is to forward the inner EAP-MSCHAPV2 to another 
server, but I dont think this will help you unless the other server 
understands EAP-MSCHAPV2. AFAIK, Radiator is the only server that can handle 
bare EAP-MSCHAPV2 without special modifications.

I can see that it might be technically possible to turn the inner auth of 
PEAP-MSCHAPV2 into an ordinary Radius MSCHAPV2 request and proxy it, but we 
have not done this.

Hope that helps.

>
> I've started from a mix of eap_ttls_proxy.cfg and eap_peap.cfg templates
> and  I'm not able to forward to a standard Radius server
> What is the content of the users file for the user anonymous ?
>
> Here is an extract of the radius.cfg
>
> <Handler TunnelledByPEAP=1>
>         <AuthBy RADIUS>
>                 Host 10.10.1.28
>                 Secret SECKEY
>         </AuthBy>
> </Handler>
>
> <Handler>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP
>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> #               EAPTLS_CAPath
>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
> #               EAPTLS_RandomFile %D/certificates/random
>                 EAPTLS_MaxFragmentSize 1000
> #               EAPTLS_DHFile %D/certificates/cert/dh
>                 #EAPTLS_CRLCheck
>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 # EAPAnonymous anonymous at some.other.realm
>                 #EAPTLS_SessionResumption 0
>                 #EAPTLS_SessionResumptionLimit 10
>                 EAPTLS_PEAPVersion 0
>         </AuthBy>
> </Handler>
>
>
> Thanks
> Franck
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list