[RADIATOR] EAP-TTLS: How to forward inner requests to different backends depending on the inner authentication?

Matti Saarinen mjsaarin at cc.helsinki.fi
Tue Jan 21 06:44:10 UTC 2020

> [ EAP-TTLS tunnelled PAP to one backend, EAP-TTLS tunnelled MSCHAPv2
> to other backend. What to do with EAP-TTLS tunnelled EAP-MSCHAPv2. ]

Finally, I managed to find a not-so-elegant workaround. The EAP-TTLS
tunnelled MSCHAPv2 can be detected with MS-CHAP-Challenge=/.+/. That can
be proxied to Windows RADIUS servers. All others are proxied without
TTLS to next RADIATOR servers. There I can differ PAP and EAP-MSCHAPv2.
The latter I need to transfer to regular MSCHAPv2 that I can proxy to
Windows RADIUS servers.

It still puzzles me why I failed to do that with the RADIATOR
terminating the TTLS. It may be due the PEAP section in the same
configuration. Perhaps the inner authentication was either pushed to
wrong handler or couldn't find a matching handler at all.



More information about the radiator mailing list