terminating EAP tunnels, proxy and realms

Andreas Liebe liebe at hrz.tu-darmstadt.de
Fri Jun 22 13:47:37 CEST 2007 

Hi all,

we're using FreeRadius 1.1.6 to give access to our WLAN with EAP-TTLS.
Worked great so far.

No we want to participate in inter University roaming (eduroam) and thus
have to proxy some requests a parent server. Everything works great
except regarding the outer identity.

If it's just "anonymous" everything is ok, but if it's
"anonymous@<somerealm>" and <somerealm> is configured in proxy.conf the
EAP-Request ist proxied instead of terminated. This is correct by
configuration but not wanted.

Is there a way to terminate the EAP regardless of the outer identity?

Here's an example:
        User-Name = "anonymous at tu-darmstadt.de"
        Calling-Station-Id = "00-18-DE-B5-3A-E2"
...
        EAP-Message =
0x0201001e01616e6f6e796d6f75734074752d6461726d73746164742e
6465
        Message-Authenticator = 0x7a211176339c3e2ee9f7a0fe56864b2a
...
    rlm_realm: Looking up realm "tu-darmstadt.de" for User-Name =
"anonymous at tu-darmstadt.de"
    rlm_realm: Found realm "tu-darmstadt.de"
    rlm_realm: Adding Stripped-User-Name = "anonymous"
    rlm_realm: Proxying request from user anonymous to realm
tu-darmstadt.de
    rlm_realm: Adding Realm = "tu-darmstadt.de"
    rlm_realm: Preparing to proxy authentication request to realm
"tu-darmstadt.
de" 
  modcall[authorize]: module "suffix" returns updated for request 6
  rlm_eap: Request is supposed to be proxied to Realm tu-darmstadt.de.
Not doing EAP.
  modcall[authorize]: module "eap" returns noop for request 6
...

How can I bypass proxy authentication for EAP-Messages?

This is the setup in users:

...
# matches request without any realm (local)
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Realm !* "NULL",
Proxy-To-Realm := MyRealm
        User-Name = `%{User-Name}`,Fall-Through = Yes

# matches requests going explicitly to tu-darmstadt.de (local)
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Realm == "tu-darmstadt.de",
Proxy-To-Realm := MyRealm
        User-Name = `%{User-Name}`,Fall-Through = Yes

# matches requests going parent radius
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Realm == DEFAULT,
Proxy-To-Realm := Parent
        User-Name = `%{User-Name}`,Fall-Through = Yes
...

Thanks a lot,

 -Andreas

-- 
Andreas Liebe/Darmstadt University of Technology/+49 6151 16-3150/3050(FAX)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 185 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070622/a3ad6752/attachment.pgp>

More information about the Freeradius-Users mailing list