Thank you, Alan, for taking the time to reply.
You should really use 3.0.15.
Apologies, I followed the example in the FreeRADIUS Technical Guide and typed "yum install freeradius" and this is the version it installed. I will go back and install 3.0.15 manually.
No... read the debug output. The error is something else.
When testing and specifying the full username on the client e.g. 'user@uni.ac.uk', everything works. Specifying just the short username on the client 'user' fails. Using a packet capture, I see that the request does not get forwarded as hoped. I read the output of radiusd -X and noticed the EAP error, but I don't know whether it is possible to overcome it?
If they're your users, then you should authenticate them. You don't need to edit the User-Name. You don't need to proxy. Describe the problem you're trying to solve.
We are a small entity next to a big university. The neighbouring university allows its users to connect to eduroam locally without specifying the realm in the username, but this can lead to problems because their users are often not aware that they need to use the full username if they wish to roam. We get many visitors from the university and their perception is that our wireless is broken. I want to make it easier for those visitors to connect to eduroam, because I can't explain to all visitors that they should user their full username. I need to proxy and I think that need to add the realm to the username, otherwise the eduroam NRPS won't know what to do with the request. On 9 September 2017 at 18:03, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 9, 2017, at 10:11 AM, Dale Lloyd <dale.lloyd@gmail.com> wrote:
FreeRADIUS Version 3.0.4
You should really use 3.0.15.
I wish to modify the User-Name attribute in access-requests by appending the realm, but if I do that, FreeRADIUS refuses to proxy the request.
No... read the debug output. The error is something else.
I added the following to /etc/raddb/sites-enabled/default:
authorize {
if("%{User-Name}" !~ /@/) { update request { User-Name := "%{User-Name}@uni.ac.uk" Realm := "eduroam" }
The better question is why do you think this is necessary?
If they're your users, then you should authenticate them. You don't need to edit the User-Name. You don't need to proxy.
Or, if you do proxy, you can just set Proxy-To-Realm:
if("%{User-Name}" !~ /@/) { update control { Proxy-To-Realm := "my-other-server" }
radiusd -X output:
(0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Identity does not match User-Name, setting from EAP Identity (0) eap : Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject
That doesn't say "refused to proxy the request". The message is English, and should be clear.
Suggestions greatly appreciated.
Describe the problem you're trying to solve. Don't ask why your proposed solution doesn't work.
There are likely many other ways of getting the same result.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html