[RADIATOR] Proxying to a RADIUS server before doing EAP

[Heikki Vatiainen]

On 09/13/2012 11:15 AM, Kristof V. wrote:

> On receival of the first Access-Request (containing the first EAP
> message), I want to contact another RADIUS server (server X) before
> initiating EAP. The reason for this callflow is that I need the result
> of this other server to decide wheter EAP should be started or not.

Would there be any method to make this information directly available to
Radiator? That might be easier than making this happen. For example,
making sure only the first EAP message is forwarded could be tricky.

> Also, in theory I'm not really "proxying" the initial request to server
> X, but I only seem to find the "AuthBy RADIUS" method to contact another
> server, which just proxies the request. Because server X can't handle
> EAP, I'd have to strip the EAP attributes from the request, which
> confuses the EAP logic that follows.

You could consider two AuthBys where EAP is done first followed by
proxy. AuthByPolicy ContinueWhileChallenge might do this. If you let EAP
to handle the request first you can then more easily strip attributes.
However, there's still the problem of what should be done with the
subsequent EAP messages.

> I've tried a couple of configurations, which include AuthBy GROUP, using
> ReplyHooks, ... , but I can't seem to find anything that works. Maybe
> I'm just missing something? Anyone has any suggestions?

My suggestion is make the EAP decision information available to
Radiator. Otherwise setting up what you have described could be tricky.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.