aland at deployingradius.com
Thu Aug 15 03:24:51 CEST 2019
On Aug 14, 2019, at 12:58 PM, Marek Des <desmarek1 at gmail.com> wrote:
> Well, about empty realm - I mean this:
> 1) outer identity: empty
That's an issue. The outer identity shouldn't be empty. In RADIUS, it's *forbidden* to have an empty User-Name.
See RFC 7542. The outer identity should be "anonymous", or maybe "@realm" where it's your realm.
> 2) inner identity: username
> I need to authenticate two kind of users:
> 1) ones with credentials above
> 2) eduroam
Except that an empty outer identity means that your users will *never* be able to use eduroam. An outer User-Name of "@example.com" is routable back to you via eduroam. An empty outer User-Name will just get dropped on the floor.
> The only difference is in outer and inner identity.
> The both setups use EAP + MSCHAPv2 and OpenLDAP.
> I am trying to handle those two kind of users in single virtual server
You generally *must* run them in a single virtual server. Because the Ads will send both user authentications to one RADIUS server. And the RADIUS server has to figure it out.
> it doesn't work - it says it's proxying request to localhost and that's it.
See the FAQ for "it doesn't work". And post the *actual* debug output. Not a one-line summary.
We don't need to see that. The documentation says to post the debug log, *not* the configuration files.
> Virtual server for inner identity:
We don't need to see that, either. If it doesn't work, it's wrong. If you post the debug output, we see it *running* the configuration, which is infinitely more useful.
What you should be doing is:
* all users log in with a non-empty outer identity.
* *your* users log in with outer identity of "@my.domain.tld"
* the FreeRADIUS configuration has that domain as a local one
* everything else gets proxied to eduroam
A long and detailed guide is in the Wiki: https://wiki.freeradius.org/guide/eduroam
More information about the Freeradius-Users