[RADIATOR] EAP-TTLS: How to forward inner requests to different backends depending on the inner authentication?
hvn at open.com.au
Tue Jan 14 11:26:33 UTC 2020
On 13/01/2020 16.14, Matti Saarinen wrote:
> We have some clients that use EAP-TTLS+PAP and others that use
> EAP-TTLS+MSCHAPv2. So far, RADIATOR has stripped of the EAP-TTLS and
> forwarded the inner requests to Windows RADIUS servers and everything
> has worked. Now, the Widows admins want to drop PAP support and I would
> need to configure RADIATOR to forward PAP requests to different backend.
My suggestion is this:
<Handler TunnelledByTTLS=1, ExistsInRequest=EAP-Message>
# Send EAP to Windows
# Handle non-EAP here
Check item ExistsInRequest is new in Radiator 4.24. It matches if the
named attribute is present in the request.
With older Radiators this was typically handled with something like
EAP-Message=/.+/. The new check item was added for cases where we
actually are not interested in an attribute's contents but only if it's
present or not.
Related to PAP part of your config, you may want to use 'Asynchronous'
instead of 'Synchronous'. This makes proxy AuthBys to work more like
other AuthBys: a result evaluated by AuthByPolicy is only returned when
a reply is received. In other words, when Asynchronous flag parameter is
set, the AuthBy does not return immediately with IGNORE after sending
While a reply is waited for, other requests are processed. If there's no
reply, it returns with IGNORE after the configured timeout. This
provides the functionality of 'Synchronous' flag without blocking that
The latests updates and fixes to Asynchronous were done in 4.21 and it's
been available since 4.17.
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator