[RADIATOR] EAP-TTLS: How to forward inner requests to different backends depending on the inner authentication?
Matti Saarinen
mjsaarin at cc.helsinki.fi
Mon Jan 13 14:14:42 UTC 2020
Hello!
We have some clients that use EAP-TTLS+PAP and others that use
EAP-TTLS+MSCHAPv2. So far, RADIATOR has stripped of the EAP-TTLS and
forwarded the inner requests to Windows RADIUS servers and everything
has worked. Now, the Widows admins want to drop PAP support and I would
need to configure RADIATOR to forward PAP requests to different backend.
This is probably a very simple to thing to accomplish but I haven't had
the skills with which to write a working configuration. Below, is what
I'm trying to do. I hope that if the backend MSCHAPv2 doesn't accep the
request RADIATOR will move to the next one.
<Handler TunnelledByTTLS=1>
Identifier EAP-TTLS
AuthByPolicy ContinueAlways
<AuthBy GROUP>
# MSCHAPv2 should be processed here
<AuthBy RADIUS>
### PacketTrace
Identifier TTLS-MSCHAPv2
LocalAddress n.n.n.n
Host ad1
FailureBackoffTime 300
RetryTimeout 3
Secret *
Retries 0
Synchronous
</AuthBy>
</AuthBy>
<AuthBy GROUP>
# PAP should be processed here
<AuthBy RADIUS>
### PacketTrace
RewriteUsername s/^([^@]+).*/$1/
Identifier TTLS-PAP-R1
Host r1
AuthPort 1812
AcctPort 1813
Secret *
RetryTimeout 3
Retries 0
Synchronous
</AuthBy>
<AuthBy RADIUS>
### PacketTrace
Identifier TTLS-PAP-R2
RewriteUsername s/^([^@]+).*/$1/
Host r2
AuthPort 1812
AcctPort 1813
Secret *
RetryTimeout 3
Retries 0
Synchronous
</AuthBy>
</AuthBy>
</Handler>
// Matti
More information about the radiator
mailing list