<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1">Hello,<br>
<br>
Could anyone help me?<br>
<br>
I'm trying setting up freeradius 2.1.12 for eduroam.<br>
The local auth works well, but the proxy part not so.<br>
<br>
here is the configuration :<br>
<br>
RADIUSD.CONF :<br>
<br>
prefix = /usr<br>
exec_prefix = /usr<br>
sysconfdir = /etc<br>
localstatedir = /var<br>
sbindir = ${exec_prefix}/sbin<br>
logdir = /var/log/freeradius<br>
raddbdir = /etc/freeradius<br>
radacctdir = ${logdir}/radacct<br>
name = freeradius<br>
confdir = ${raddbdir}<br>
run_dir = ${localstatedir}/run/${name}<br>
db_dir = ${raddbdir}<br>
libdir = /usr/lib/freeradius<br>
pidfile = ${run_dir}/${name}.pid<br>
user = freerad<br>
group = freerad<br>
max_request_time = 30<br>
cleanup_delay = 5<br>
max_requests = 1024<br>
listen {<br>
type = auth<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
ipaddr = *<br>
port = 0<br>
type = acct<br>
}<br>
hostname_lookups = no<br>
allow_core_dumps = no<br>
regular_expressions = yes<br>
extended_expressions = yes<br>
log {<br>
destination = files<br>
file = ${logdir}/radius.log<br>
syslog_facility = daemon<br>
stripped_names = no<br>
auth = no<br>
auth_badpass = no<br>
auth_goodpass = no<br>
}<br>
checkrad = ${sbindir}/checkrad<br>
security {<br>
max_attributes = 200<br>
reject_delay = 1<br>
status_server = yes<br>
}<br>
proxy_requests = yes<br>
$INCLUDE proxy.conf<br>
$INCLUDE clients.conf<br>
thread pool {<br>
start_servers = 5<br>
max_servers = 32<br>
min_spare_servers = 3<br>
max_spare_servers = 10<br>
max_requests_per_server = 0<br>
}<br>
modules {<br>
$INCLUDE ${confdir}/modules/<br>
$INCLUDE eap.conf<br>
$INCLUDE sql.conf<br>
}<br>
instantiate {<br>
exec<br>
expr<br>
expiration<br>
logintime<br>
}<br>
$INCLUDE policy.conf<br>
$INCLUDE sites-enabled/<br>
<br>
<br>
site-enabled/default :<br>
<br>
authorize {<br>
preprocess<br>
if ("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) {<br>
sql_l3invites<br>
}<br>
elsif ("%{User-Name}" =~ /.*@.*/) {<br>
ok<br>
}<br>
else {<br>
update reply {<br>
Reply-Message := "%{User-Name} : Format Identifiant
non valide!"<br>
}<br>
reject<br>
}<br>
mschap<br>
suffix<br>
eap {<br>
ok = return<br>
}<br>
pap<br>
}<br>
authenticate {<br>
Auth-Type PAP {<br>
pap<br>
}<br>
Auth-Type MS-CHAP {<br>
mschap<br>
}<br>
eap<br>
}<br>
preacct {<br>
preprocess<br>
acct_unique<br>
suffix<br>
files<br>
}<br>
accounting {<br>
sql_acct<br>
exec<br>
attr_filter.accounting_response<br>
}<br>
session {<br>
}<br>
post-auth {<br>
reply_log<br>
update reply {<br>
Tunnel-Type := "VLAN"<br>
Tunnel-Medium-Type := "IEEE-802"<br>
}<br>
if ("%{User-Name}" == "L3Invite") {<br>
update reply {<br>
Tunnel-Private-Group-Id := "53"<br>
}<br>
}<br>
switch "%{Realm}" {<br>
case "univ-lille3.fr" {<br>
update reply {<br>
Tunnel-Private-Group-Id := "54"<br>
}<br>
}<br>
case "etu.univ-lille3.fr" {<br>
update reply {<br>
Tunnel-Private-Group-Id := "55"<br>
}<br>
}<br>
case "ext.univ-lille3.fr" {<br>
update reply {<br>
Tunnel-Private-Group-Id := "50"<br>
}<br>
}<br>
}<br>
exec<br>
Post-Auth-Type REJECT {<br>
attr_filter.access_reject<br>
linelog<br>
}<br>
}<br>
pre-proxy {<br>
pre_proxy_log<br>
}<br>
post-proxy {<br>
post_proxy_log<br>
eap<br>
Post-Proxy-Type Fail {<br>
post_proxy_fail_log<br>
}<br>
}<br>
<br>
PROXY.CONF :<br>
<br>
proxy server {<br>
default_fallback = no<br>
retry_delay = 5<br>
retry_count = 3<br>
dead_time = 600<br>
}<br>
home_server localhost {<br>
type = auth<br>
ipaddr = 127.0.0.1<br>
port = 1812<br>
secret = testing123<br>
require_message_authenticator = yes<br>
response_window = 20<br>
zombie_period = 40<br>
revive_interval = 120<br>
status_check = status-server<br>
check_interval = 30<br>
num_answers_to_alive = 3<br>
max_outstanding = 65536<br>
coa {<br>
irt = 2<br>
mrt = 16<br>
mrc = 5<br>
mrd = 30<br>
}<br>
}<br>
home_server_pool my_auth_failover {<br>
type = fail-over<br>
home_server = localhost<br>
}<br>
realm example.com {<br>
auth_pool = my_auth_failover<br>
}<br>
realm LOCAL {<br>
}<br>
realm NULL {<br>
}<br>
realm univ-lille3.fr {<br>
type = radius<br>
authhost = LOCAL<br>
accthost = LOCAL<br>
nostrip<br>
}<br>
realm etu.univ-lille3.fr {<br>
type = radius<br>
authhost = LOCAL<br>
accthost = LOCAL<br>
nostrip<br>
}<br>
realm ext.univ-lille3.fr {<br>
type = radius<br>
authhost = LOCAL<br>
accthost = LOCAL<br>
nostrip<br>
}<br>
<br>
realm DEFAULT {<br>
type = radius<br>
authhost = rad1.eduroam.fr:1812<br>
accthost = rad1.eduroam.fr:1813<br>
secret = **********************************<br>
nostrip<br>
}<br>
<br>
realm DEFAULT {<br>
type = radius<br>
authhost = rad2.eduroam.fr:1812<br>
accthost = rad2.eduroam.fr:1813<br>
secret = ************************************<br>
nostrip<br>
}<br>
<br>
CLIENTS.CONF :<br>
<br>
client localhost {<br>
ipaddr = 127.0.0.1<br>
secret = *******<br>
require_message_authenticator = yes <br>
}<br>
client 193.51.224.109 {<br>
secret = ****************************<br>
shortname = rad1.eduroam.fr<br>
}<br>
client 130.79.200.23 {<br>
secret = ****************************<br>
shortname = rad2.eduroam.fr<br>
}<br>
client ******* {<br>
secret = **********<br>
shortname = MX800R-1<br>
nastype = trapeze<br>
}<br>
client ******** {<br>
secret = ***********<br>
shortname = MX800R-2<br>
nastype = trapeze<br>
}<br>
<br>
<br>
debug -XX<br>
<br>
<br>
rad_recv: Access-Request packet from host 192.168.58.5 port
20009, id=46, length=176<br>
NAS-Port-Id = "AP42/1"<br>
Calling-Station-Id = "74-2F-68-ED-12-1C"<br>
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"<br>
Service-Type = Framed-User<br>
EAP-Message =
0x0201001a016573757064656d40756e69762d726f75656e2e6672<br>
User-Name = <a class="moz-txt-link-rfc2396E" href="mailto:esupdem@univ-rouen.fr">"esupdem@univ-rouen.fr"</a><br>
NAS-Port = 57286<br>
NAS-Port-Type = Wireless-802.11<br>
NAS-IP-Address = 192.168.58.5<br>
NAS-Identifier = "Trapeze"<br>
Message-Authenticator = 0x6830881b1c96c187831ae1494d8e8f2a<br>
Mon Jan 21 15:29:46 2013 : Info: # Executing section authorize
from file /etc/freeradius/sites-enabled/eduroam<br>
Mon Jan 21 15:29:46 2013 : Info: +- entering group authorize {...}<br>
Mon Jan 21 15:29:46 2013 : Info: ++[preprocess] returns ok<br>
Mon Jan 21 15:29:46 2013 : Info: ++? if ("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/)<br>
Mon Jan 21 15:29:46 2013 : Info: expand: %{Called-Station-Id}
-> 00-0B-0E-94-89-40:eduroam<br>
Mon Jan 21 15:29:46 2013 : Info: ? Evaluating
("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) -> FALSE<br>
Mon Jan 21 15:29:46 2013 : Info: ++? if ("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) -> FALSE<br>
Mon Jan 21 15:29:46 2013 : Info: ++? elsif ("%{User-Name}" =~
/.*@.*/)<br>
Mon Jan 21 15:29:46 2013 : Info: expand: %{User-Name} ->
hidden<br>
Mon Jan 21 15:29:46 2013 : Info: ? Evaluating ("%{User-Name}" =~
/.*@.*/) -> TRUE<br>
Mon Jan 21 15:29:46 2013 : Info: ++? elsif ("%{User-Name}" =~
/.*@.*/) -> TRUE<br>
Mon Jan 21 15:29:46 2013 : Info: ++- entering elsif
("%{User-Name}" =~ /.*@.*/) {...}<br>
Mon Jan 21 15:29:46 2013 : Info: +++[ok] returns ok<br>
Mon Jan 21 15:29:46 2013 : Info: ++- elsif ("%{User-Name}" =~
/.*@.*/) returns ok<br>
Mon Jan 21 15:29:46 2013 : Info: ++ ... skipping else for request
228: Preceding "if" was taken<br>
Mon Jan 21 15:29:46 2013 : Info: ++[mschap] returns noop<br>
Mon Jan 21 15:29:46 2013 : Info: [suffix] Looking up realm hidden
for User-Name = hidden<br>
Mon Jan 21 15:29:46 2013 : Info: [suffix] Found realm "DEFAULT"<br>
Mon Jan 21 15:29:46 2013 : Info: [suffix] Adding Realm = "DEFAULT"<br>
Mon Jan 21 15:29:46 2013 : Info: [suffix] Proxying request from
user hidden to realm DEFAULT<br>
Mon Jan 21 15:29:46 2013 : Info: [suffix] Preparing to proxy
authentication request to realm "DEFAULT" <br>
Mon Jan 21 15:29:46 2013 : Info: ++[suffix] returns updated<br>
Mon Jan 21 15:29:46 2013 : Info: [eap] Request is supposed to be
proxied to Realm DEFAULT. Not doing EAP.<br>
Mon Jan 21 15:29:46 2013 : Info: ++[eap] returns noop<br>
Mon Jan 21 15:29:46 2013 : Info: ++[pap] returns noop<br>
Mon Jan 21 15:29:46 2013 : Info: # Executing section pre-proxy
from file /etc/freeradius/sites-enabled/eduroam<br>
Mon Jan 21 15:29:46 2013 : Info: +- entering group pre-proxy {...}<br>
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
->
/var/log/freeradius/radacct/192.168.58.5/pre-proxy-detail-20130121<br>
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/192.168.58.5/pre-proxy-detail-20130121<br>
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log] expand: %t
-> Mon Jan 21 15:29:46 2013<br>
Mon Jan 21 15:29:46 2013 : Info: ++[pre_proxy_log] returns ok<br>
Sending Access-Request of id 243 to 193.51.224.109 port 1812<br>
NAS-Port-Id = "AP42/1"<br>
Calling-Station-Id = "74-2F-68-ED-12-1C"<br>
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"<br>
Service-Type = Framed-User<br>
EAP-Message =
0x0201001a016573757064656d40756e69762d726f75656e2e6672<br>
User-Name = hidden<br>
NAS-Port = 57286<br>
NAS-Port-Type = Wireless-802.11<br>
NAS-IP-Address = 192.168.58.5<br>
NAS-Identifier = "Trapeze"<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Proxy-State = 0x3436<br>
Mon Jan 21 15:29:46 2013 : Info: Proxying request 228 to home
server 193.51.224.109 port 1812<br>
Sending Access-Request of id 243 to 193.51.224.109 port 1812<br>
NAS-Port-Id = "AP42/1"<br>
Calling-Station-Id = "74-2F-68-ED-12-1C"<br>
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"<br>
Service-Type = Framed-User<br>
EAP-Message =
0x0201001a016573757064656d40756e69762d726f75656e2e6672<br>
User-Name = hidden<br>
NAS-Port = 57286<br>
NAS-Port-Type = Wireless-802.11<br>
NAS-IP-Address = 192.168.58.5<br>
NAS-Identifier = "Trapeze"<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Proxy-State = 0x3436<br>
Mon Jan 21 15:29:46 2013 : Debug: Going to the next request<br>
Mon Jan 21 15:29:46 2013 : Debug: Waking up in 0.9 seconds.<br>
Mon Jan 21 15:29:47 2013 : Debug: Waking up in 13.0 seconds.<br>
rad_recv: Access-Request packet from host 192.168.58.5 port 20009,
id=46, length=176<br>
Mon Jan 21 15:29:51 2013 : Info: Sending duplicate proxied request
to home server 193.51.224.109 port 1812 - ID: 243<br>
Sending Access-Request of id 243 to 193.51.224.109 port 1812<br>
NAS-Port-Id = "AP42/1"<br>
Calling-Station-Id = "74-2F-68-ED-12-1C"<br>
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"<br>
Service-Type = Framed-User<br>
EAP-Message =
0x0201001a016573757064656d40756e69762d726f75656e2e6672<br>
User-Name =hidden<br>
NAS-Port = 57286<br>
NAS-Port-Type = Wireless-802.11<br>
NAS-IP-Address = 192.168.58.5<br>
NAS-Identifier = "Trapeze"<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Proxy-State = 0x3436<br>
Mon Jan 21 15:29:51 2013 : Debug: Waking up in 9.0 seconds.<br>
rad_recv: Access-Request packet from host 192.168.58.5 port 20009,
id=46, length=176<br>
Mon Jan 21 15:29:56 2013 : Info: Sending duplicate proxied request
to home server 193.51.224.109 port 1812 - ID: 243<br>
Sending Access-Request of id 243 to 193.51.224.109 port 1812<br>
NAS-Port-Id = "AP42/1"<br>
Calling-Station-Id = "74-2F-68-ED-12-1C"<br>
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"<br>
Service-Type = Framed-User<br>
EAP-Message =
0x0201001a016573757064656d40756e69762d726f75656e2e6672<br>
User-Name = hidden<br>
NAS-Port = 57286<br>
NAS-Port-Type = Wireless-802.11<br>
NAS-IP-Address = 192.168.58.5<br>
NAS-Identifier = "Trapeze"<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Proxy-State = 0x3436<br>
Mon Jan 21 15:29:56 2013 : Debug: Waking up in 4.0 seconds.<br>
Mon Jan 21 15:30:00 2013 : Info: Cleaning up request 228 ID 46
with timestamp +1976<br>
Mon Jan 21 15:30:00 2013 : Proxy: Marking home server
193.51.224.109 port 1812 as zombie (it looks like it is dead).<br>
<br>
Thanks<br>
<br>
<br>
<br>
<br>
<br>
</font>
</body>
</html>