help with proxy settings for EDUROAM

Hocine M hocine.maoucha at free.fr
Mon Jan 21 16:39:51 CET 2013


Hello,

Could anyone help me?

I'm trying setting up  freeradius 2.1.12 for eduroam.
The local auth works well, but the proxy part not so.

here is the configuration  :

RADIUSD.CONF :

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
     type = auth
     ipaddr = *
     port = 0
}
listen {
     ipaddr = *
     port = 0
     type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log {
     destination = files
     file = ${logdir}/radius.log
     syslog_facility = daemon
     stripped_names = no
     auth = no
     auth_badpass = no
     auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
     max_attributes = 200
     reject_delay = 1
     status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
     start_servers = 5
     max_servers = 32
     min_spare_servers = 3
     max_spare_servers = 10
     max_requests_per_server = 0
}
modules {
     $INCLUDE ${confdir}/modules/
     $INCLUDE eap.conf
     $INCLUDE sql.conf
}
instantiate {
     exec
     expr
     expiration
     logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/


site-enabled/default :

authorize {
     preprocess
         if ("%{Called-Station-Id}" =~ 
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) {
                 sql_l3invites
         }
         elsif ("%{User-Name}" =~ /.*@.*/) {
                 ok
     }
     else {
         update reply {
             Reply-Message := "%{User-Name} : Format Identifiant non 
valide!"
         }
         reject
     }
     mschap
     suffix
     eap {
         ok = return
     }
     pap
}
authenticate {
     Auth-Type PAP {
         pap
     }
     Auth-Type MS-CHAP {
         mschap
     }
     eap
}
preacct {
     preprocess
     acct_unique
     suffix
     files
}
accounting {
     sql_acct
     exec
     attr_filter.accounting_response
}
session {
}
post-auth {
     reply_log
     update reply {
         Tunnel-Type := "VLAN"
         Tunnel-Medium-Type := "IEEE-802"
     }
     if ("%{User-Name}" == "L3Invite") {
                 update reply {
                                 Tunnel-Private-Group-Id := "53"
                         }
         }
     switch "%{Realm}" {
         case "univ-lille3.fr" {
             update reply {
                 Tunnel-Private-Group-Id := "54"
                     }
         }
         case "etu.univ-lille3.fr" {
             update reply {
                 Tunnel-Private-Group-Id := "55"
                     }
         }
         case "ext.univ-lille3.fr" {
             update reply {
                 Tunnel-Private-Group-Id := "50"
                     }
         }
         }
     exec
     Post-Auth-Type REJECT {
         attr_filter.access_reject
         linelog
     }
}
pre-proxy {
     pre_proxy_log
}
post-proxy {
     post_proxy_log
     eap
     Post-Proxy-Type Fail {
         post_proxy_fail_log
     }
}

PROXY.CONF :

proxy server {
     default_fallback = no
     retry_delay = 5
     retry_count = 3
     dead_time = 600
}
home_server localhost {
     type = auth
     ipaddr = 127.0.0.1
     port = 1812
     secret = testing123
     require_message_authenticator = yes
     response_window = 20
     zombie_period = 40
     revive_interval = 120
     status_check = status-server
     check_interval = 30
     num_answers_to_alive = 3
     max_outstanding = 65536
     coa {
         irt = 2
         mrt = 16
         mrc = 5
         mrd = 30
     }
}
home_server_pool my_auth_failover {
     type = fail-over
     home_server = localhost
}
realm example.com {
     auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
}
realm univ-lille3.fr {
     type = radius
     authhost = LOCAL
     accthost = LOCAL
     nostrip
}
realm etu.univ-lille3.fr {
     type = radius
     authhost = LOCAL
     accthost = LOCAL
     nostrip
}
realm ext.univ-lille3.fr {
     type = radius
     authhost = LOCAL
     accthost = LOCAL
     nostrip
}

realm DEFAULT {
     type = radius
     authhost = rad1.eduroam.fr:1812
     accthost = rad1.eduroam.fr:1813
     secret = **********************************
     nostrip
}

realm DEFAULT {
     type = radius
     authhost = rad2.eduroam.fr:1812
     accthost = rad2.eduroam.fr:1813
     secret = ************************************
     nostrip
}

CLIENTS.CONF :

client localhost {
     ipaddr = 127.0.0.1
     secret        = *******
     require_message_authenticator = yes
}
client 193.51.224.109 {
     secret    = ****************************
     shortname = rad1.eduroam.fr
}
client 130.79.200.23 {
     secret    = ****************************
     shortname = rad2.eduroam.fr
}
client ******* {
     secret  = **********
     shortname = MX800R-1
     nastype = trapeze
}
client ******** {
     secret  = ***********
     shortname = MX800R-2
     nastype = trapeze
}


debug -XX


  rad_recv: Access-Request packet from host 192.168.58.5 port 20009, 
id=46, length=176
     NAS-Port-Id = "AP42/1"
     Calling-Station-Id = "74-2F-68-ED-12-1C"
     Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
     Service-Type = Framed-User
     EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
     User-Name = "esupdem at univ-rouen.fr"
     NAS-Port = 57286
     NAS-Port-Type = Wireless-802.11
     NAS-IP-Address = 192.168.58.5
     NAS-Identifier = "Trapeze"
     Message-Authenticator = 0x6830881b1c96c187831ae1494d8e8f2a
Mon Jan 21 15:29:46 2013 : Info: # Executing section authorize from file 
/etc/freeradius/sites-enabled/eduroam
Mon Jan 21 15:29:46 2013 : Info: +- entering group authorize {...}
Mon Jan 21 15:29:46 2013 : Info: ++[preprocess] returns ok
Mon Jan 21 15:29:46 2013 : Info: ++? if ("%{Called-Station-Id}" =~ 
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/)
Mon Jan 21 15:29:46 2013 : Info:     expand: %{Called-Station-Id} -> 
00-0B-0E-94-89-40:eduroam
Mon Jan 21 15:29:46 2013 : Info: ? Evaluating ("%{Called-Station-Id}" =~ 
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) -> FALSE
Mon Jan 21 15:29:46 2013 : Info: ++? if ("%{Called-Station-Id}" =~ 
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) -> FALSE
Mon Jan 21 15:29:46 2013 : Info: ++? elsif ("%{User-Name}" =~ /.*@.*/)
Mon Jan 21 15:29:46 2013 : Info:     expand: %{User-Name} -> hidden
Mon Jan 21 15:29:46 2013 : Info: ? Evaluating ("%{User-Name}" =~ 
/.*@.*/) -> TRUE
Mon Jan 21 15:29:46 2013 : Info: ++? elsif ("%{User-Name}" =~ /.*@.*/) 
-> TRUE
Mon Jan 21 15:29:46 2013 : Info: ++- entering elsif ("%{User-Name}" =~ 
/.*@.*/) {...}
Mon Jan 21 15:29:46 2013 : Info: +++[ok] returns ok
Mon Jan 21 15:29:46 2013 : Info: ++- elsif ("%{User-Name}" =~ /.*@.*/) 
returns ok
Mon Jan 21 15:29:46 2013 : Info: ++ ... skipping else for request 228: 
Preceding "if" was taken
Mon Jan 21 15:29:46 2013 : Info: ++[mschap] returns noop
Mon Jan 21 15:29:46 2013 : Info: [suffix] Looking up realm hidden for 
User-Name = hidden
Mon Jan 21 15:29:46 2013 : Info: [suffix] Found realm "DEFAULT"
Mon Jan 21 15:29:46 2013 : Info: [suffix] Adding Realm = "DEFAULT"
Mon Jan 21 15:29:46 2013 : Info: [suffix] Proxying request from user 
hidden to realm DEFAULT
Mon Jan 21 15:29:46 2013 : Info: [suffix] Preparing to proxy 
authentication request to realm "DEFAULT"
Mon Jan 21 15:29:46 2013 : Info: ++[suffix] returns updated
Mon Jan 21 15:29:46 2013 : Info: [eap] Request is supposed to be proxied 
to Realm DEFAULT.  Not doing EAP.
Mon Jan 21 15:29:46 2013 : Info: ++[eap] returns noop
Mon Jan 21 15:29:46 2013 : Info: ++[pap] returns noop
Mon Jan 21 15:29:46 2013 : Info: # Executing section pre-proxy from file 
/etc/freeradius/sites-enabled/eduroam
Mon Jan 21 15:29:46 2013 : Info: +- entering group pre-proxy {...}
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log]     expand: 
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d 
-> /var/log/freeradius/radacct/192.168.58.5/pre-proxy-detail-20130121
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log] 
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d 
expands to 
/var/log/freeradius/radacct/192.168.58.5/pre-proxy-detail-20130121
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log]     expand: %t -> Mon 
Jan 21 15:29:46 2013
Mon Jan 21 15:29:46 2013 : Info: ++[pre_proxy_log] returns ok
Sending Access-Request of id 243 to 193.51.224.109 port 1812
     NAS-Port-Id = "AP42/1"
     Calling-Station-Id = "74-2F-68-ED-12-1C"
     Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
     Service-Type = Framed-User
     EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
     User-Name = hidden
     NAS-Port = 57286
     NAS-Port-Type = Wireless-802.11
     NAS-IP-Address = 192.168.58.5
     NAS-Identifier = "Trapeze"
     Message-Authenticator = 0x00000000000000000000000000000000
     Proxy-State = 0x3436
Mon Jan 21 15:29:46 2013 : Info: Proxying request 228 to home server 
193.51.224.109 port 1812
Sending Access-Request of id 243 to 193.51.224.109 port 1812
     NAS-Port-Id = "AP42/1"
     Calling-Station-Id = "74-2F-68-ED-12-1C"
     Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
     Service-Type = Framed-User
     EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
     User-Name = hidden
     NAS-Port = 57286
     NAS-Port-Type = Wireless-802.11
     NAS-IP-Address = 192.168.58.5
     NAS-Identifier = "Trapeze"
     Message-Authenticator = 0x00000000000000000000000000000000
     Proxy-State = 0x3436
Mon Jan 21 15:29:46 2013 : Debug: Going to the next request
Mon Jan 21 15:29:46 2013 : Debug: Waking up in 0.9 seconds.
Mon Jan 21 15:29:47 2013 : Debug: Waking up in 13.0 seconds.
rad_recv: Access-Request packet from host 192.168.58.5 port 20009, 
id=46, length=176
Mon Jan 21 15:29:51 2013 : Info: Sending duplicate proxied request to 
home server 193.51.224.109 port 1812 - ID: 243
Sending Access-Request of id 243 to 193.51.224.109 port 1812
     NAS-Port-Id = "AP42/1"
     Calling-Station-Id = "74-2F-68-ED-12-1C"
     Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
     Service-Type = Framed-User
     EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
     User-Name =hidden
     NAS-Port = 57286
     NAS-Port-Type = Wireless-802.11
     NAS-IP-Address = 192.168.58.5
     NAS-Identifier = "Trapeze"
     Message-Authenticator = 0x00000000000000000000000000000000
     Proxy-State = 0x3436
Mon Jan 21 15:29:51 2013 : Debug: Waking up in 9.0 seconds.
rad_recv: Access-Request packet from host 192.168.58.5 port 20009, 
id=46, length=176
Mon Jan 21 15:29:56 2013 : Info: Sending duplicate proxied request to 
home server 193.51.224.109 port 1812 - ID: 243
Sending Access-Request of id 243 to 193.51.224.109 port 1812
     NAS-Port-Id = "AP42/1"
     Calling-Station-Id = "74-2F-68-ED-12-1C"
     Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
     Service-Type = Framed-User
     EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
     User-Name = hidden
     NAS-Port = 57286
     NAS-Port-Type = Wireless-802.11
     NAS-IP-Address = 192.168.58.5
     NAS-Identifier = "Trapeze"
     Message-Authenticator = 0x00000000000000000000000000000000
     Proxy-State = 0x3436
Mon Jan 21 15:29:56 2013 : Debug: Waking up in 4.0 seconds.
Mon Jan 21 15:30:00 2013 : Info: Cleaning up request 228 ID 46 with 
timestamp +1976
Mon Jan 21 15:30:00 2013 : Proxy: Marking home server 193.51.224.109 
port 1812 as zombie (it looks like it is dead).

Thanks





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130121/b8662442/attachment-0001.html>


More information about the Freeradius-Users mailing list