(RADIATOR) PEAP config and proxying
Christian Wiedmann
cw_radiator at wiedmann.org
Tue Apr 15 20:24:37 CDT 2003
I think you may be getting confused between the inner and outer requests.
You've attached the RewriteUserName to the Handler for the outer request, not
the inner. Since the actual user name being authenticated is in the TLS tunnel,
it is not rewritten (see the MSCHAP-V2 debug messages). You probably need to
move the RewriteUserName to the inner handler.
You'll also get weird behavior if the inner request falls through the tunnel
handler, so I think it might be a good idea to add TunneledByPEAP=0 to the
outer handler (the second one in this case).
Also, you didn't mention whether you want to forward just the inner request,
or the whole PEAP transaction. The way you've written the config right now
makes it look like you're doing the latter. If this is unintentional, you
probably want to add a TunneledByPEAP=1 to the forwarding handler. Otherwise,
add TunneledByPeap=0 to prevent it from trying to forward failed inner
requests.
I'm not an expert at the Radius side, but have been playing with PEAP quite
a bit, so I hope this might be somewhat helpful in spite of any mistakes
misunderstandings I may have made.
-Christian
p.s. Hugh - is there any way to turn on address obscuring on the Radiator list
archives? I'm getting spam to this address.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list