802.1x host/machine authentication

Chidanand Gangur chidanand.gangur at gmail.com
Thu Oct 21 11:54:40 CEST 2010


Thanks Phil, thanks a lot

It worked. I have multiple home servers configured so I am using your
logic like this

if ("%{User-Name}"=~ /^host\/.*testad1.com$/) {
    update control {
                                  Proxy-To-Realm := "testad1.com"
	           }
		}
		elsif ("%{User-Name}"=~ /^host\/.*si-test.dssc.com$/) {
		    update control {
		    	Proxy-To-Realm := "si-test.dssc.com"
		    }
		}

Thanks,
Chidanand

On Thu, Oct 21, 2010 at 1:52 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 10/21/2010 08:55 AM, Chidanand Gangur wrote:
>>
>> I have collected logs for full session of host authentication, log is
>> pasted below.
>>
>> As mentioned in my previous mail I just want to proxy  the host
>> authentication request to the home server, is it possible?
>
> You didn't mention that in your original email.
>
> As I've said - the "host/foo" syntax is NOT an IPASS username. It may have
> the same format, but you do not want to process it using that realm.
>
> If you want to proxy these requests, I would recommend doing the following:
>
>  1. Define the realm you are proxying to in "proxy.conf"
>  2. In "authorize", do the following:
>
> authorize {
>   ... # N.B do not have the "IPASS", "suffix" or "ntdomain"
>   ... # modules before this point, they'll confuse things
>
>   if (User-Name =~ /^host\//) {
>     update control {
>       Proxy-To-Realm := THEREALM
>     }
>   }
>   ...
> }
>
> ...then FreeRadius will do the right thing.
>
> Out of interest, why do you want to proxy them? You are presumably aware
> that FreeRadius can, if correctly setup, perform the machine authentication
> itself?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Chidanand Gangur
Pune.




More information about the Freeradius-Users mailing list