Hello, I have not many experiences with radius, so my question may be stupid. Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge) as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1? I need to solve following problem with the "Agent host" i.e. host which send authenticate request to RSA Auth Manager. When authentication request goest through freeradius proxy, RSA Manager thinks that Agent host is my freeradius proxy instead of original host which sent authenticate request. Below is pasted part of pre-proxy detail log and debug log. part of output from: freeradius -X: Sending Access-Request of id 0 to 10.100.25.2 port 1812 User-Name = "jakub" User-Password = "1234628665" NAS-IP-Address = 127.0.1.1 NAS-Identifier = "ssh" NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.5.0.39" Proxy-State = 0x313039 output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204: Packet-Type = Access-Request Mon Feb 4 23:55:50 2008 User-Name = "jakub" User-Password = "1234628665" NAS-IP-Address = 127.0.1.1 NAS-Identifier = "ssh" NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.5.0.39" Client-IP-Address = 10.5.0.31 Stripped-User-Name = "jakub" Realm = "NULL" Realm = "NULL" Proxy-State = 0x313039 Does this mean, that freeradius process all attributes from pre-proxy-detail-20080204 log, but sends only attributes, which are shown in extended debug mode? If so, can anybody give me any advice how can I configure freeradius to send more attributes? Jakub
Jakub Morávek wrote:
I have not many experiences with radius, so my question may be stupid. Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge) as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1?
Many people have tried this. It works.
When authentication request goest through freeradius proxy, RSA Manager thinks that Agent host is my freeradius proxy instead of original host which sent authenticate request.
I don't know what an "Agent host" is. FreeRADIUS *is* a RADIUS client to the RSA manager.
Does this mean, that freeradius process all attributes from pre-proxy-detail-20080204 log, but sends only attributes, which are shown in extended debug mode? If so, can anybody give me any advice how can I configure freeradius to send more attributes?
To do... what? Alan DeKok.
Firs of all thanks for your reply. I'll try to be more specific. On Feb 5, 2008 2:58 PM, Alan DeKok <aland@deployingradius.com> wrote:
Jakub Morávek wrote:
I have not many experiences with radius, so my question may be stupid. Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge) as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1?
Many people have tried this. It works.
I know, but I did not find anyone who discussed this problem.
When authentication request goest through freeradius proxy, RSA Manager thinks that Agent host is my freeradius proxy instead of original host which sent authenticate request.
I don't know what an "Agent host" is. FreeRADIUS *is* a RADIUS client to the RSA manager.
In RSA terminology "Agent hosts" is host which sends authetication request. For example, if you want to setup "ssh-server" to authenticate ssh login against RSA, you have to add "ssh-server" (name and it's ip address) into RSA database and setup list of users, which are allowed to log into "ssh-server". If "user1" tries to access "ssh-server", "ssh-server" sends authentication request to RSA. RSA looks into database if "user1" is allowed to log into "ssh-server" host. In my case RSA rejects "user1" access, because RSA thikns, that "user1" wants to log into "freeradius" and there is no "freeradius" Agent host defined in RSA database.
Does this mean, that freeradius process all attributes from pre-proxy-detail-20080204 log, but sends only attributes, which are shown in extended debug mode? If so, can anybody give me any advice how can I configure freeradius to send more attributes?
To do... what?
My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jakub
Jakub Morávek wrote:
Firs of all thanks for your reply. I'll try to be more specific.
On Feb 5, 2008 2:58 PM, Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>> wrote:
Jakub Morávek wrote: > I have not many experiences with radius, so my question may be > stupid. Has anybody experience with using freeradius (Version 1.1.3 in > Debian Sarge) as proxy for RSA RADIUS Server included in RSA > Authentication Manager 6.1?
Many people have tried this. It works.
I know, but I did not find anyone who discussed this problem.
> When authentication request goest through freeradius proxy, RSA Manager > thinks that Agent host is my freeradius proxy instead of original host > which sent authenticate request.
I don't know what an "Agent host" is. FreeRADIUS *is* a RADIUS client to the RSA manager.
In RSA terminology "Agent hosts" is host which sends authetication request.
For example, if you want to setup "ssh-server" to authenticate ssh login against RSA, you have to add "ssh-server" (name and it's ip address) into RSA database and setup list of users, which are allowed to log into "ssh-server". If "user1" tries to access "ssh-server", "ssh-server" sends authentication request to RSA. RSA looks into database if "user1" is allowed to log into "ssh-server" host.
In my case RSA rejects "user1" access, because RSA thikns, that "user1" wants to log into "freeradius" and there is no "freeradius" Agent host defined in RSA database.
> Does this mean, that freeradius process all attributes from > pre-proxy-detail-20080204 log, but sends only attributes, which are > shown in extended debug mode? If so, can anybody give me any advice how > can I configure freeradius to send more attributes?
To do... what?
My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.
Erm no, your wrong 'Client-IP-Address' in an internal FreeRADIUS attribute. If it was sent the Funk RADIUS server wouldn't understand it... but it's not sent as all FR internal attributes are filtered out. The RSA Funk Sever determines Agent Host identity from the UDP Packet Header, not any of the attributes inside the RADIUS Packet. It could in theory use NAS-IP-Address as an identifier, but I doubt it does.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jakub ------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.
Ahem, your first post: output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204: Packet-Type = Access-Request Mon Feb 4 23:55:50 2008 User-Name = "jakub" User-Password = "1234628665" NAS-IP-Address = 127.0.1.1 NAS-Identifier = "ssh" NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.5.0.39" Client-IP-Address = 10.5.0.31 <=== Stripped-User-Name = "jakub" Realm = "NULL" Realm = "NULL" Proxy-State = 0x313039 Ivan Kalik Kalik Informatika ISP
Ivan Kalik wrote:
My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.
Ahem, your first post:
output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204:
Packet-Type = Access-Request Mon Feb 4 23:55:50 2008 User-Name = "jakub" User-Password = "1234628665" NAS-IP-Address = 127.0.1.1 NAS-Identifier = "ssh" NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.5.0.39" Client-IP-Address = 10.5.0.31 <=== Stripped-User-Name = "jakub" Realm = "NULL" Realm = "NULL" Proxy-State = 0x313039
No. This was a bug, Alan just fixed it. It's cosmetic. 'Client-IP-Address' is never sent !
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Jakub Morávek wrote:
In RSA terminology "Agent hosts" is host which sends authetication request. ... In my case RSA rejects "user1" access, because RSA thikns, that "user1" wants to log into "freeradius" and there is no "freeradius" Agent host defined in RSA database.
So... you might need to define one.
My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.
The Client-IP-Address attribute is not sent in a packet. The RADIUS protocol uses the originating IP address to determine the client. I would suggest reading the RSA documentation to see how to make it think that FreeRADIUS is not the originating host. If the documentation does not define how to do that, it is likely impossible. Alan DeKok.
Hi, I'm planning a FreeRadius deployment where the same machine will be running two FreeRADIUS instances, each one listening in different interfaces with different ip adresses. However, I had been looking in the documentation forthis possibility and found no information about it, so I don't know whether is possible or not. Has anyone try this? I think that I wiil need to different radiusd with different radius.conf, users, db, accounting files, but I'm not really sure. So far I had been able to launch two radiusd using the -i and -p flags. Regards, Pablo Cuesta
pablo.cuesta@bt.com wrote:
Hi, I'm planning a FreeRadius deployment where the same machine will be running two FreeRADIUS instances, each one listening in different interfaces with different ip adresses. However, I had been looking in the documentation forthis possibility and found no information about it, so I don't know whether is possible or not. Has anyone try this?
Use FreeRadius 2 , yo can instantiate two virtual servers and bind them to different ip addresses.
I think that I wiil need to different radiusd with different radius.conf, users, db, accounting files, but I'm not really sure. So far I had been able to launch two radiusd using the -i and -p flags.
Regards, Pablo Cuesta
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Ivan Kalik -
Jakub Morávek -
pablo.cuesta@bt.com