Identifying Virtual-Server from Inner-Tunnel
Jordan Dohms
wraezor at gmail.com
Thu Oct 4 21:07:57 CEST 2012
I’m still fairly new at FreeRADIUS. Running 2.1.10 (we are planning
our upgrade shortly).
Kind of a two pronged question here...I'm encountering a particular
issue, but also would like to hear if my broad approach is suitable.
I am attempting to do the following:
- Use one FreeRADIUS server to authenticate for two different 802.1X
networks (EAP-PEAP / MSCHAP).
- Both will use the mschap module to interface with Microsoft Active Directory.
- The first 802.1X network will authenticate against DOMAIN1, the
second against both DOMAIN1 and DOMAIN2. The first network should
reject authentication attempts from DOMAIN2.
- All usernames are specified with a full realm / fqdn.
- The RADIUS clients (wireless access points) will all be the same for
the two networks.
What (I think) is the solution:
- In order for FreeRADIUS to distinguish what set of users (DOMAIN1 or
DOMAIN1/2) to authenticate against, I have setup two virtual servers
listening on different ports and (obviously) different names.
(working)
- The clients connect to FreeRADIUS over a different port depending on
the network they're attempting to connect to. (working)
- Setup realms for both DOMAIN1 and DOMAIN2 to have them both
authenticate locally. (working)
- Setup two mschap modules to call ntlm_auth command with the proper
DOMAIN string. (working)
- Depending on the realm provided, call a different mschap module from
the inner-tunnel. (working)
- Depending on the virtual server the request was received through,
call a different mschap module from the inner-tunnel or reject the
request. (not working)
If there's a better/cleaner/simpler way to do this, I'm all ears.
My issue:
Since its EAP-PEAP, the request passes through the outer and
inner-tunnel virtual servers. In my inner-tunnel, I'm doing an IF on
the Realm. That seems to be evaluating properly if I look at the
debug logs. If I do an IF on Virtual-Server it comes back with
'inner-tunnel'. If I do outer.request:Virtual-Server it oddly also
comes back with 'inner-tunnel'. How do I see the actual
virtual-server? Should I need to set a separate variable in the
outer-server and read it below?
Here is my attempted code in "server inner-tunnel"
authenticate {
Auth-Type MS-CHAP {
if ("%{outer.request:Virtual-Server}" == "secure") {
mschap_domain1
}
else {
if ("%{Realm}" == "domain1.fqdn.org") {
mschap_domain1
}
elsif ("%{Realm}" == "domain2.fqdn.org") {
mschap_domain2
}
}
}
eap
}
In my debug logs:
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +- entering group MS-CHAP {...}
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++? if
("%{outer.request:Virtual-Server}" == "secure")
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand:
%{outer.request:Virtual-Server} -> inner-tunnel
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating
("%{outer.request:Virtual-Server}" == "secure") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++? if
("%{outer.request:Virtual-Server}" == "secure") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++- entering else else {...}
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" ==
"domain1.fqdn.org")
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} ->
domain2.fqdn.org
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}"
== "domain1.fqdn.org") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" ==
"domain1.fqdn.org") -> FALSE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" ==
"domain2.fqdn.org")
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} ->
domain2.fqdn.org
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}"
== "domain2.fqdn.org") -> TRUE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" ==
"domain2.fqdn.org") -> TRUE
Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++- entering elsif
("%{Realm}" == "domain2.fqdn.org") {...}
Any suggestions for what I'm doing wrong or maybe a better way to tackle it?
Thanks,
Jordan Dohms
More information about the Freeradius-Users
mailing list