scripting pap off to eapol_test?

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

scripting pap off to eapol_test?

Jonathan
I'm thinking of passing received PAP username and password on a realm/proxy
basis to eapol_test to transform a PAP request into a proxied EAP request
for further authentication upstream towards a 3rd party radius which only
accepts secured EAP-PEAP:mschapv2 requests.


If this would be possible, what would be the easiest way to do this from
within a proxy config?

scenario:
1) hotspot pap send to freeradius
2) freeradius matching realm, transform to eap-peap:mschapv2 request and
proxy to upstream 3rd party server
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: scripting pap off to eapol_test?

Alan DeKok-2
On Aug 6, 2020, at 5:17 AM, Jonathan <[hidden email]> wrote:
>
> I'm thinking of passing received PAP username and password on a realm/proxy
> basis to eapol_test to transform a PAP request into a proxied EAP request
> for further authentication upstream towards a 3rd party radius which only
> accepts secured EAP-PEAP:mschapv2 requests.
>
> If this would be possible, what would be the easiest way to do this from
> within a proxy config?

  Just execute a program.  It will likely have to be a shell script wrapper which creates a configuration file in /tmp, and then passes that to eapol_test.

  It will "work" for various definitions of "work".  If things are OK, users will be authenticated.  But if the back-end server goes down, no RADIUS fail-over will happen.  Instead, the script will wait, and will block FreeRADIUS.

  People should just allow PAP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html