(RADIATOR) Forwarding EAP-PEAP to another Radius server

Tom Rixom tom.rixom at alfa-ariss.com
Fri Feb 27 02:05:18 CST 2004 

Mike, Franck,

I have tried this already but then sending the EAP-MSCHAPV2 to an IAS
server which does understand EAP-MSCHAPV2. 

This however did not work and I think this is because the inner request 
in PEAP does not use it's own packet numbering but it uses the 
numbering of the outer request.

Forwarding EAP-MSCHAPV2 within TTLS is possible however because the inner
request is a completly new request but it will only work with certain client(s) 
;)

Regards,

Tom Rixom

> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Thursday, February 26, 2004 11:36 PM
> To: Franck Villien; radiator at open.com.au
> Subject: Re: (RADIATOR) Forwarding EAP-PEAP to another Radius server
> 
> 
> Hello Franck,
> 
> On Thu, 26 Feb 2004 11:53 pm, Franck Villien wrote:
> > Hi,
> >
> > Just starting with Radiator ,and no answer found in archive 
> mailing list
> > about How to forward an PEAP request sent by a WXP SP1 
> through an Cisco AP
> > to a standard Radius server. (which does not support PEAP).
> 
> There is currently no way I know of to extract the 
> authentication from PEAP 
> and forward it to a non-EAP server.
> 
> The best you could hope for is to forward the inner 
> EAP-MSCHAPV2 to another 
> server, but I dont think this will help you unless the other server 
> understands EAP-MSCHAPV2. AFAIK, Radiator is the only server 
> that can handle 
> bare EAP-MSCHAPV2 without special modifications.
> 
> I can see that it might be technically possible to turn the 
> inner auth of 
> PEAP-MSCHAPV2 into an ordinary Radius MSCHAPV2 request and 
> proxy it, but we 
> have not done this.
> 
> Hope that helps.
> 
> >
> > I've started from a mix of eap_ttls_proxy.cfg and 
> eap_peap.cfg templates
> > and  I'm not able to forward to a standard Radius server
> > What is the content of the users file for the user anonymous ?
> >
> > Here is an extract of the radius.cfg
> >
> > <Handler TunnelledByPEAP=1>
> >         <AuthBy RADIUS>
> >                 Host 10.10.1.28
> >                 Secret SECKEY
> >         </AuthBy>
> > </Handler>
> >
> > <Handler>
> >         <AuthBy FILE>
> >                 Filename %D/users
> >                 EAPType PEAP
> >                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> > #               EAPTLS_CAPath
> >                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> >                 EAPTLS_CertificateType PEM
> >                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> >                 EAPTLS_PrivateKeyPassword whatever
> > #               EAPTLS_RandomFile %D/certificates/random
> >                 EAPTLS_MaxFragmentSize 1000
> > #               EAPTLS_DHFile %D/certificates/cert/dh
> >                 #EAPTLS_CRLCheck
> >                 #EAPTLS_CRLFile %D/certificates/crl.pem
> >                 #EAPTLS_CRLFile %D/certificates/revocations.pem
> >                 AutoMPPEKeys
> >                 SSLeayTrace 4
> >                 # EAPAnonymous anonymous at some.other.realm
> >                 #EAPTLS_SessionResumption 0
> >                 #EAPTLS_SessionResumptionLimit 10
> >                 EAPTLS_PEAPVersion 0
> >         </AuthBy>
> > </Handler>
> >
> >
> > Thanks
> > Franck
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> 
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, 
> Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   
http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list