. .

Proxying a PEAP/MSCHAPv2 request

Written by at May 17, 2012

Let make it simple, sometimes, your RADIUS server may need to proxy a PEAP/MSCHAPv2 request to another RADIUS (Home Server) to authenticate a user.

The idea behind the setup is your RADIUS server receive the PEAP/MSCHAPv2 request, then sent to the request to inner-tunnel, afterwards, the inner-tunnel proxy the request in MSCHAPv2 form to Home Server. The Home Server will reply the authenticate request and send back to your radius server.

Suppose your Radius should proxy ‘@qwifi’ request to Home Server.

  • in users, add 
    DEFAULT User-Name =~ "@qwifi$", FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := inner-qwifi
  • In eap.conf, setup all necessary cert & key in tls session, and the most important, set proxy_tunneled_request_as_eap = no in peap session
  • in proxy.conf 
    home_server qwifi {
  type = auth+acct
  ipaddr = xx.xx.xx.xx
  port = 1812
  secret = testing123
  require_message_authenticator = yes
}
      
home_server_pool qwifi_pool {
  home_server = qwifi
}     

realm "inner-qwifi" {
#      auth_pool = my_auth_failover
      nostrip
      pool = qwifi_pool
}
      
realm "qwifi" {
#      auth_pool = my_auth_failover
      nostrip
      authhost        = LOCAL
      accthost        = LOCAL
}
  • in modules/detail, you may define, 
    detailfile = ${radacctdir}/%{Realm}/detail-combined

Reference: Proxy PEAP-EAP-MSCHAPv2 as MSCHAPv2