[RADIATOR] EAP-TTLS: How to forward inner requests to different backends depending on the inner authentication?

Heikki Vatiainen hvn at open.com.au
Tue Jan 14 11:26:33 UTC 2020

On 13/01/2020 16.14, Matti Saarinen wrote:

> We have some clients that use EAP-TTLS+PAP and others that use
> EAP-TTLS+MSCHAPv2. So far, RADIATOR has stripped of the EAP-TTLS and
> forwarded the inner requests to Windows RADIUS servers and everything
> has worked. Now, the Widows admins want to drop PAP support and I would
> need to configure RADIATOR to forward PAP requests to different backend.

My suggestion is this:

<Handler TunnelledByTTLS=1, ExistsInRequest=EAP-Message>
   # Send EAP to Windows

<Handler TunnelledByTTLS=1>
   # Handle non-EAP here

Check item ExistsInRequest is new in Radiator 4.24. It matches if the 
named attribute is present in the request.

With older Radiators this was typically handled with something like 
EAP-Message=/.+/. The new check item was added for cases where we 
actually are not interested in an attribute's contents but only if it's 
present or not.

Related to PAP part of your config, you may want to use 'Asynchronous' 
instead of 'Synchronous'. This makes proxy AuthBys to work more like 
other AuthBys: a result evaluated by AuthByPolicy is only returned when 
a reply is received. In other words, when Asynchronous flag parameter is 
set, the AuthBy does not return immediately with IGNORE after sending 
the request.

While a reply is waited for, other requests are processed. If there's no 
reply, it returns with IGNORE after the configured timeout. This 
provides the functionality of 'Synchronous' flag without blocking that 
'Synchronous' does.

The latests updates and fixes to Asynchronous were done in 4.21 and it's 
been available since 4.17.


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list