To proxy, or not to proxy, that is the question ...
I currently run two virtual servers, one for our local secure wireless and one for eduroam customers. The local one receives RADIUS packets from Bradford Campus Manager, which is responsible for Network Access Control and stamps Auth-OK replies with the VLAN for the user. What I want to do is combine these wireless services, so that we just have eduroam. The functionality we will need, will be: The requests will come to the eduroam server address. if (no domain specified) then who are ya? fi if (domain is non-local) then proxy to user's home site. fi if (domain is local AND authenticating from a local NAS) then authenticate locally by proxy to Bradford Campus Manager (Campus Manager will receive the stripped user@realm as user and proxy to the local server address) else authenticate and return ACK/NACK to remote server in usual way for one of our users visiting remote site fi The part I am not sure how to do is the last part, a conditional proxy based on source NAS. I assume I need to dip into unlang, but can I put that into the proxy.conf file? realm local.site.ac.uk { if( NAS-IP-Address ~= /192.168.*/ ) then # match my likely clients... set-up A else set-up B fi } Or whatever (I don't speak unlang, yet!), or have I got to determine the source of the request somewhere else and use unlang to re-write the realm to some special sentinel value that would be caught in proxy.conf like: realm local.site.ac.uk { do the normal thing } realm special.local.site.ac.uk { do the clever NAC proxy stuff } As usual, thanks for your time and hope someone can steer me in the right direction before my head explodes. (Yes I did read the docs, didn't help in this case!) ---------------------- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department
On Thu, 15 Oct 2009, Dean, Barry wrote:
if (domain is local AND authenticating from a local NAS) then authenticate locally by proxy to Bradford Campus Manager (Campus Manager will receive the stripped user@realm as user and proxy to the local server address) else authenticate and return ACK/NACK to remote server in usual way for one of our users visiting remote site fi
The part I am not sure how to do is the last part, a conditional proxy based on source NAS. I assume I need to dip into unlang, but can I put that into the proxy.conf file?
We're doing this by using a syntax in the client shortname ('client ... { shortname = ... }' in clients.conf). We declare our RADIUS clients with names such as: <device>@<site> So all our things are something@net.cam.ac.uk; things from internal colleges or departments are something@college.cam.ac.uk or whatever. The things from JANET Roaming are jrsN@ja.net. Then, we can do things like: if ("%{Client-Shortname}" =~ /\.cam\.ac\.uk$/) { # do something special when NAS in Cambridge } Using literal matching or regexps, we've found we can do all sorts of things here. - Bob -- Bob Franklin <rcf34@cam.ac.uk> +44 1223 748479 Network Division, University of Cambridge Computing Service
Hi,
if (domain is local AND authenticating from a local NAS) then authenticate locally by proxy to Bradford Campus Manager (Campus Manager will receive the stripped user@realm as user and proxy to the local server address) else authenticate and return ACK/NACK to remote server in usual way for one of our users visiting remote site fi
The part I am not sure how to do is the last part, a conditional proxy based on source NAS. I assume I need to dip into unlang, but can I put that into the proxy.conf file?
with 2.x ? just ensure that clients are defined correctly - either by doing as the other post said, or create a new virtual server (copy your current one and rename it eg 'eduroam' and then define the proxies as being handled by that server ie internal stuff -> [RADIUS server {default/inner}] -> return attributes etc external stuff -> [RADIUS server {eduroam/inner}] -> no return attributes etc look at the virtual_server definition in the clients.conf - that says, basically, for any request from that client, slap it through that virtual server. this means you can actually have a very stripped down virtual server... no need for anything wierd...anything coming from the proxies will be solely for you (because the proxy has done the realm work already and decided on suitable target) and you dont need to deal with settings VLANs etc. the only thing you may want in place is an authorise section to deal with people who cannot remotely authenticate - eg they've broken AUP or are infected with virus/reported as bad etc alan
Thanks for this, and thanks to Bob Franklin to. I have something working now by selecting on client name and re-writing the User-Name to append "bcm", then proxying that alone to the NAC servers. This leaves all the config I had before for my existing domains alone. I might try the other virtual server approach as well as that is quite neat. All I need now is for the blasted NAC server to recognise me as a client and actually do something instead of ignoring me! Thanks again. (I now speak some unlang!) On 15 Oct 2009, at 15:50, Alan Buxey wrote:
Hi,
if (domain is local AND authenticating from a local NAS) then authenticate locally by proxy to Bradford Campus Manager (Campus Manager will receive the stripped user@realm as user and proxy to the local server address) else authenticate and return ACK/NACK to remote server in usual way for one of our users visiting remote site fi
The part I am not sure how to do is the last part, a conditional proxy based on source NAS. I assume I need to dip into unlang, but can I put that into the proxy.conf file?
with 2.x ? just ensure that clients are defined correctly - either by doing as the other post said, or create a new virtual server (copy your current one and rename it eg 'eduroam' and then define the proxies as being handled by that server ie
internal stuff -> [RADIUS server {default/inner}] -> return attributes etc
external stuff -> [RADIUS server {eduroam/inner}] -> no return attributes etc
look at the virtual_server definition in the clients.conf - that says, basically, for any request from that client, slap it through that virtual server.
this means you can actually have a very stripped down virtual server... no need for anything wierd...anything coming from the proxies will be solely for you (because the proxy has done the realm work already and decided on suitable target) and you dont need to deal with settings VLANs etc. the only thing you may want in place is an authorise section to deal with people who cannot remotely authenticate - eg they've broken AUP or are infected with virus/reported as bad etc
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department
participants (3)
-
Alan Buxey -
Bob Franklin -
Dean, Barry