Proxying multiple times to virtual and external servers

Thu May 24 18:04:49 CEST 2012

From my mobile. So terse...

if("%{Called-Station-Id}" =~ /:eduroam$/){
update control {
 proxy-to-server = eduroam
 }
}

...or such (there will be some lexical errors above)

Search the mail Archives as there have been similar discussions

PS its 'eduroam', NEVER a capital E

alan

--
This smartphone has free WiFi worldwide with eduroam, now that IS smart

----- Reply message -----
From: "Graeme Hamilton" <g.j.hamilton at stir.ac.uk>
Date: Thu, May 24, 2012 15:36
Subject: Proxying multiple times to virtual and external servers
To: "freeradius-users at lists.freeradius.org" <freeradius-users at lists.freeradius.org>

Hello,

I'm configuring FreeRADIUS (2.1.12) for use as part of our Eduroam deployment. We're using EAP-MSCHAPv2 authentication, so I've got both an outer and inner virtual server configured and working correctly. Currently, the outer server configuration (configured as default i.e. without a 'server' stanza) assumes that connections from our wireless controller clients are only ever Eduroam-related, and it processes them accordingly - does realm checks, proxy logic, mandatory logging, etc. This is acceptable for now, since Eduroam is currently the only wireless service we provide which uses 802.1X authentication.

Ideally, I'd like a generic default virtual server which would process all authentications initially, but which would act upon the suffix (e.g. ':eduroam') appended to the Called-Station-Id by our wireless controllers to proxy the request off to another virtual server dedicated to that particular function, where further actions specific to that purpose can be carried out. Reading the comments in proxy.conf suggests that it's possible to proxy requests containing a particular realm off to another virtual server, but that such requests cannot subsequently be proxied again. This would break Eduroam, since visitors to our campus need to have their requests proxied off to the national proxy servers once we've processed them.

Is there any way to achieve this functionality whilst retaining the ability to proxy requests multiple times, or should I just dedicate the whole FreeRADIUS instance to Eduroam and use the functionality of our wireless controllers to direct authentication attempts on specific SSIDs to specific RADIUS server groups, if and when the need arises?

Regards,
Graeme

Graeme Hamilton
Senior Network Specialist
Information Services
University of Stirling

--
The Sunday Times Scottish University of the Year 2009/2010
The University of Stirling is a charity registered in Scotland,
number SC 011159.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120524/616a9648/attachment.html>