What proxy features does the freeradius server support?

work vlpl thework.vlpl at gmail.com
Fri Oct 20 05:19:29 CEST 2017 

On the step 2 and 3, when proxy radius server analyze username, I want
to analyze real username, not the outer anonymous identity. To do that
I handle eap message on proxy radius server.
Then, if username not belongs to certain group I handle request on
proxy server without calling home server. If username belongs to  a
certain group I set Proxy-To-Realm attribute. And here I have an
issue.

If request is peap-mschapv2 and I set proxy_tunneled_request_as_eap =
yes, home radius server(freeradius v3.0.x branch) not understand eap
message, if proxy_tunneled_request_as_eap = no home radius server have
not problem to understand mschapv2 request.
If request eap-ttls, ttls section in eap module config does not have
option `proxy_tunneled_request_as_eap` and request on home server will
be mschapv2.
And I could not configure proxy server to send request after it look
inside eap-tls request. Home server inform what eap message has a
wrong state.

So user request to proxy server is secured with eap, but proxy request
to home server is send as simple mschapv2 without eap. And I want to
know is it possible to send request as eap to home server, after proxy
server handle (look inside) it?


On 20 October 2017 at 00:28, Alan DeKok <aland at deployingradius.com> wrote:
> On Oct 19, 2017, at 2:23 PM, work vlpl <thework.vlpl at gmail.com> wrote:
>>
>> Hello,
>> I want to implement the following proxy scenario:
>>
>> 1. User send request with eap-ttls or eap-tls or peap-mschapv2.
>> 2. Proxy freeradius server analyze this requeset
>> 3. If username from these request has custom radius attribute which
>> determines whether the request should be sent to.
>
>   If the request has a custom attribute, then it doesn't matter what EAP type is being used.
>
>> 4. Send original or new request with the same type as original, to the
>> home server
>
>   The server proxies packets as-is.  It doesn't change EAP types.
>
>> 5. If home server return Accept, Accept- user, if no - reject.
>
>   That's how proxying works.
>
>> And I want to know is this possible or not ? If yes please give me
>> some example. The protocols are eap-tls; eap-ttls; peap-mschapv2;
>
>   It's not clear exactly what you're looking for.  If you want to proxy on a RADIUS attribute such as Calling-Station-Id, just do:
>
>         if (Calling-Station-ID == "value") {
>                 update control {
>                         Proxy-To-Realm := "realm_name"
>                 }
>         }
>
>   That's really it.
>
>   All of this is documented.
>
>   Alan DeKok.
>

More information about the Freeradius-Users mailing list