Proxying based on SSID

Ana Gallardo Gómez ana_gallardo_77 at hotmail.com
Wed Jan 24 11:58:32 CET 2007 

I think you have to use the attribute "Stripped-User-Name" to authenticate the user.> Date: Wed, 24 Jan 2007 14:21:59 +0800> From: LFK at cc.hku.hk> To: freeradius-users at lists.freeradius.org> Subject: Proxying based on SSID> > Hi,> > Sorry if the questions have been asked. I have done a lot of searches,> but could not find the answer.> > Normally, I proxy a PEAP request whenever the realm is unknown to us> (i.e. using the DEFAULT realm without stripping user name). However, for> some SSIDs, I want requests to be handled locally with ldap, independent> of what the realm is (and with the user name stripped). What I did is to> find those SSIDs in "Called-Station-ID" and> set proxy-to-realm to a local realm.> > But the problem (I guess) is that when freeradius processes the realm> file, the user name is not stripped. When later on processed by the> local realm, the request fails because the user name still contains the> domain.> > Any suggestions to solve it is appreciated. Thanks in advance.> > Best Regards,> Lai> > Users> =====> DEFAULT NAS-Port-Type == "Wireless-802.11", Called-Station-Id =~> "MY-SSID$", St> rip-User-Name := Yes, Autz-Type := usePlainTextPwd, Proxy-to-realm :=> "hku.hk"> > DEFAULT NAS-Port-Type == "Wireless-802.11", Autz-Type := usePlainTextPwd> > Radiusd -X> =========> rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136,> length=152>         NAS-Port-Id = "2098/1">         Calling-Station-Id = "00-18-DE-83-3E-1B">         Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap">         Service-Type = Framed-User>         EAP-Message = 0x02010012017063637732406173642e636f6d>         User-Name = "pcw2 at asd.com">         NAS-Port-Type = Wireless-802.11>         NAS-Identifier = "3Com">         NAS-IP-Address = 17.18.28.26>         Message-Authenticator = 0x46e6da4a3ad7d253157a9f21a110807b>   Processing the authorize section of radiusd.conf> modcall: entering group authorize for request 0>   modcall[authorize]: module "preprocess" returns ok for request 0>     rlm_realm: Looking up realm "asd.com" for User-Name = "pcw2 at asd.com">     rlm_realm: Found realm "DEFAULT">     rlm_realm: Proxying request from user pcw2 to realm DEFAULT>     rlm_realm: Adding Realm = "DEFAULT">     rlm_realm: Preparing to proxy authentication request to realm> "DEFAULT">   modcall[authorize]: module "suffix" returns updated for request 0>   modcall[authorize]: module "chap" returns noop for request 0>   modcall[authorize]: module "mschap" returns noop for request 0>     users: Matched entry DEFAULT at line 171>     users: Matched entry DEFAULT at line 244>   modcall[authorize]: module "files" returns ok for request 0>   rlm_eap: EAP packet type response id 1 length 18>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation>   modcall[authorize]: module "eap" returns updated for request 0> modcall: leaving group authorize (returns updated) for request 0>   Found Autz-Type usePlainTextPwd>   Processing the authorize section of radiusd.conf> modcall: entering group usePlainTextPwd for request 0> modcall: entering group redundant  for request 0> rlm_ldap: - authorize> rlm_ldap: performing user authorization for pcw2 at asd.com> radius_xlat:  '(&(uid=pcw2 at asd.com)))'> radius_xlat:  'ou=ldap,o=hku,c=hk'> rlm_ldap: ldap_get_conn: Checking Id: 0> rlm_ldap: ldap_get_conn: Got Id: 0> rlm_ldap: attempting LDAP reconnection> rlm_ldap: (re)connect to ldap1.hku.hk:389, authentication 0> rlm_ldap: starting TLS> rlm_ldap: bind as cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389> rlm_ldap: waiting for bind result ...> rlm_ldap: Bind was successful> rlm_ldap: performing search in ou=ldap,o=hku,c=hk, with filter> (&(uid=pcw2 at asd.com))> rlm_ldap: object not found or got ambiguous search result> rlm_ldap: search failed> rlm_ldap: ldap_release_conn: Release Id: 0>   modcall[authorize]: module "withNTPwd" returns notfound for request 0> modcall: leaving group redundant  (returns notfound) for request 0> modcall: leaving group usePlainTextPwd (returns notfound) for request 0>   WARNING: You set Proxy-To-Realm = hku.hk, but it is a LOCAL realm!> Cancelling>  invalid proxy request.>   rad_check_password:  Found Auth-Type EAP> auth: type "EAP">   Processing the authenticate section of radiusd.conf> modcall: entering group authenticate for request 0>   rlm_eap: EAP Identity>   rlm_eap: processing type tls>   rlm_eap_tls: Initiate>   rlm_eap_tls: Start returned 1>   modcall[authenticate]: module "eap" returns handled for request 0> modcall: leaving group authenticate (returns handled) for request 0>  WARNING: Cancelling proxy to Realm hku.hk, as the realm is local.> Sending Access-Challenge of id 136 to 17.18.28.26 port 20002>         Framed-IP-Address = 255.255.255.254>         Framed-MTU = 576>         Service-Type = Framed-User>         EAP-Message = 0x010200061920>         Message-Authenticator = 0x00000000000000000000000000000000>         State = 0xfd7f032f1c3ed7e8e39bf1872727e771> Finished request 0> Going to the next request> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
Consigue el nuevo Windows Live Messenger
http://get.live.com/messenger/overview
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070124/b4eef9d2/attachment.html>

More information about the Freeradius-Users mailing list