Proxy EAP-TLS request after successful authorization with eap module
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Oct 17 09:26:20 CEST 2017
> On 17 Oct 2017, at 18:46, work vlpl <thework.vlpl at gmail.com> wrote:
>
> Hello,
> I am using v3.0.x branch and want to know is it possible to make proxy
> request to another freeradius/radius server after proxy radius server
> successfully handle request in eap module?
>
Should be possible, just call eap in authorise with method override.
i.e.
authorize {
eap
if (&control:Auth-Type == EAP) {
eap.authenticate
}
}
The trick there is determining when EAP has actually finished. I'd look and
see if the return code of eap.authenticate changes on the final round
after the user has been accepted, and use that as the trigger to proxy
the final request to an upstream server.
eap.authenticate
if (ok) {
update control {
Proxy-To-Realm := 'foo'
}
}
If the return code doesn't change, then the outcome might be available
somewhere else, but that'd require some digging.
I don't think the inner tunnel runs for EAP-TLS? At least there's no reason
for it to.
The other thing would be to check and see if the cert authorisation virtual
server runs right before the Accept is returned... It might.
In which case you can stick your Need-Remote-Call in the outer.session-state list
and check for it in the outer server.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list