(RADIATOR) How to differentiate PEAP-EAP-CHAPV2 and EAP-TTLS radius packets
Kawakubo, Ken
kkawakub at fhcrc.org
Wed Mar 19 18:11:21 CST 2003
All,
I would like Radiator to do the following.
When Radiator gets PEAP-EAP-CHAPv2 radius packets, Radiator proxies to IAS
on Windows 2003 server. When Radiator gets EAP-TTLS-PAP packets, Radiator
authenticate via Authby PAM using pam_smb. I have to do this setup because
we need to authenticate against NTLM. I can do NTLM authentication with
EAP-TTLS since I can use plaintext PAP, but I cannot do NTLM authentication
with PEAP-EAP-CHAPv2 since it uses encrypted passwords.
I got working both Radius proxy with PEAP-EAP-CHAPv2 and AuthBy PAM with
EAP-TTLS-PAP separately. But when I try to combine both packets together, I
am not getting it to work. Either one or the other fails authentication. I
have tried using AuthByPolicy and list both AuthBy clauses but it does not
seem to work.
I am wondering if there is a way to check radius packets beforehand and send
them to the appropriate AuthBy clause. The first request packet uses code 1
instead of 25 (PEAP) or 21 (EAP-TTLS) and it seems to make it difficult to
differenticate.
I appreciate any help. Thank you.
Ken Kawakubo
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list