On Aug 14, 2019, at 12:58 PM, Marek Des <desmarek1@gmail.com> wrote:
Well, about empty realm - I mean this: 1) outer identity: empty
That's an issue. The outer identity shouldn't be empty. In RADIUS, it's *forbidden* to have an empty User-Name. See RFC 7542. The outer identity should be "anonymous", or maybe "@realm" where it's your realm.
2) inner identity: username
I need to authenticate two kind of users: 1) ones with credentials above 2) eduroam
Except that an empty outer identity means that your users will *never* be able to use eduroam. An outer User-Name of "@example.com" is routable back to you via eduroam. An empty outer User-Name will just get dropped on the floor.
The only difference is in outer and inner identity. The both setups use EAP + MSCHAPv2 and OpenLDAP.
I am trying to handle those two kind of users in single virtual server
You generally *must* run them in a single virtual server. Because the Ads will send both user authentications to one RADIUS server. And the RADIUS server has to figure it out.
and it doesn't work - it says it's proxying request to localhost and that's it.
See the FAQ for "it doesn't work". And post the *actual* debug output. Not a one-line summary. What you
proxy.conf:
We don't need to see that. The documentation says to post the debug log, *not* the configuration files.
Virtual server for inner identity:
We don't need to see that, either. If it doesn't work, it's wrong. If you post the debug output, we see it *running* the configuration, which is infinitely more useful. What you should be doing is: * all users log in with a non-empty outer identity. * *your* users log in with outer identity of "@my.domain.tld" * the FreeRADIUS configuration has that domain as a local one * everything else gets proxied to eduroam A long and detailed guide is in the Wiki: https://wiki.freeradius.org/guide/eduroam Alan DeKok.