<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">Hello,</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">I have a rudimentary proxy configuration question:</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">I am doing some testing with a Freeradius server in the lab and the </font></div><div><font face="times new roman, new york, times, serif">setup looks as follows:</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">[Host] --WiFi--- [AP]---[Wireless
Cntrlr]-----------[AAA/Freeradius server]</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">Using EAP-TTLS for authentication. </font></div><div><font face="times new roman, new york, times, serif">My wpa_supplicant config file looks like:</font></div><div><font face="times new roman, new york, times, serif">ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin</font></div><div><font face="times new roman, new york, times, serif">network={</font></div><div><font face="times new roman, new york, times, serif"> ssid="mySSID"</font></div><div><font face="times new roman, new york, times, serif"> scan_ssid=1</font></div><div><font face="times new roman, new york, times, serif"> key_mgmt=WPA-EAP</font></div><div><font face="times new roman, new york, times,
serif"> eap=TTLS</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span> anonymous_identity="anonymous@example.com"</font></div><div><font face="times new roman, new york, times, serif"> ca_cert="/home/testuser/Downloads/ca.pem"</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span> phase2="autheap=PAP"<span class="Apple-tab-span" style="white-space:pre"> </span> </font></div><div><font face="times new roman, new york, times, serif"> identity="daniel"</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span> password="daniel"</font></div><div><font face="times new roman, new york, times, serif">
}</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">The RADIUS server gets the Access request and then tries to proxy it</font></div><div><font face="times new roman, new york, times, serif">to example.com. I dont want the request or authentication to be proxied</font></div><div><font face="times new roman, new york, times, serif">elsewhere. The authentication needs to happen on the local RADIUS server</font></div><div><font face="times new roman, new york, times, serif">itself. What am I missing in the config? </font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">The server and client certs are all there in /etc/raddb/certs directory.</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york,
times, serif">Below is a snippet of the logs that I am seeing on the RADIUS server:</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: Ready to process requests.</font></div><div><font face="times new roman, new york, times, serif">rad_recv: Access-Request packet from host 192.168.0.8 port 34438, id=117, length=234</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>User-Name = "anonymous@example.com"</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>Calling-Station-Id = "00-03-7F-10-51-82"</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-IP-Address = 192.168.0.8</font></div><div><font
face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-Port = 34</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>Called-Station-Id = "8C-0C-90-15-D1-9C:mySSID"</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>Service-Type = Framed-User</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>Framed-MTU = 1400</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-Port-Type = Wireless-802.11</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>NAS-Identifier = "8C-0C-90-15-D1-9C"</font></div><div><font
face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>Connect-Info = "CONNECT 802.11a/n"</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>EAP-Message = 0x0201001a01616e6f6e796d6f7573406578616d706c652e636f6d</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>Vendor-25053-Attr-3 = 0x5275636b7573576972656c65737332</font></div><div><font face="times new roman, new york, times, serif"><span class="Apple-tab-span" style="white-space:pre"> </span>Message-Authenticator = 0xfdf3d6097b64d1237a34e27dd120bfec</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default</font></div><div><font face="times new roman, new york, times,
serif">Tue Feb 26 17:29:43 2013 : Info: +- entering group authorize {...}</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[preprocess] returns ok</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[chap] returns noop</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[mschap] returns noop</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[digest] returns noop</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: [suffix] Looking up realm "example.com" for User-Name = "anonymous@example.com"</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: [suffix] Found realm "example.com"</font></div><div><font face="times new roman, new york, times,
serif">Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Stripped-User-Name = "anonymous"</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Realm = "example.com"</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: [suffix] Proxying request from user anonymous to realm example.com</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: [suffix] Preparing to proxy authentication request to realm "example.com" </font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[suffix] returns updated</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP.</font></div><div><font face="times new roman, new york, times,
serif">Tue Feb 26 17:29:43 2013 : Info: ++[eap] returns noop</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: [files] users: Matched entry anonymous at line 207</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[files] returns ok</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[expiration] returns noop</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[logintime] returns noop</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: ++[pap] returns noop</font></div><div><font face="times new roman, new york, times, serif">Tue Feb 26 17:29:43 2013 : Info: WARNING: Empty pre-proxy section. Using default return values.</font></div><div><font face="times new roman, new york, times,
serif"><br></font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">Any help appreciated.</font></div><div><font face="times new roman, new york, times, serif"><br></font></div><div><font face="times new roman, new york, times, serif">-BPa</font></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div></div></div></body></html>