Altering identity
Marek Des
desmarek1 at gmail.com
Wed Aug 14 18:58:51 CEST 2019
Well, about empty realm - I mean this:
1) outer identity: empty
2) inner identity: username
I need to authenticate two kind of users:
1) ones with credentials above
2) eduroam
The only difference is in outer and inner identity.
The both setups use EAP + MSCHAPv2 and OpenLDAP.
I am trying to handle those two kind of users in single virtual server and
it doesn't work - it says it's proxying request to localhost and that's it.
proxy.conf:
realm LOCAL {
authhost = localhost:1812
accthost = localhost:1813
secret = testing123
nostrip
}
realm "domain.tld" {
authhost = localhost:1812
accthost = localhost:1813
secret = testing123
nostrip
}
realm NULL {
authhost = localhost:1812
accthost = localhost:1813
secret = testing123
nostrip
}
realm "~.+$" {
auth_pool = pool_eduroam
nostrip
}
Virtual server for outer identity:
authorize {
linelog_recv_request
split_username_nai
#if (noop || !&Stripped-User-Domain) {
# reject
#}
########################################################################
if ((!&Stripped-User-Domain) || (&Stripped-User-Domain ==
"")) {
update {
control:Proxy-To-Realm := 'domain.tld'
}
return
}
Virtual server for inner identity:
authorize {
split_username_nai
#if (noop || (&Stripped-User-Domain &&
(&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
# reject
#}
if ( (!&Stripped-User-Domain) || (&Stripped-User-Domain =~
/domain.tld/) || (&Stripped-User-Domain == "")) {
ldap
}
update {
&outer.session-state:Stripped-User-Name :=
&Stripped-User-Name
}
On Sun, Aug 11, 2019 at 1:46 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Aug 11, 2019, at 4:04 AM, Marek Des <desmarek1 at gmail.com> wrote:
> >
> > I need to handle to different realms:
> > 1) realm: domain.tld, username: user at domain.tld, EAP + MSCHAPv2 + LDAP
> > 2) realm: empty, username: user, EAP + MSCHAPv2 + LDAP
>
> Please be *specific*. I have no idea what you mean by "handle different
> realms"
>
> > Do I need to run 2 different virtual servers (2x outer + 2x inner or 1x
> > outer + 2x inner)?
>
> To do WHAT?
>
> If you want to authenticate users from multiple domains at the same
> time, the server can do that. Just define all of the realms in
> proxy.conf. The server will figure it out, and will do the right thing.
>
> realm example.com {
> # empty == "my realm"
> }
>
> This is extensively documented in the proxy.conf file.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list