Re: proxy same realm but different authentication protocol to different server
I've try below at the end of authorize section if (control:Auth-Type := "EAP") { update control { { Proxy-To-Realm == "xyz.com" } realm xyz.com { type = radius authhost = 123.123.123.1:1812 accthost = 123.123.123.1:1813 secret = password nostrip } } if (control:Auth-Type := "PAP") { update control { { Proxy-To-Realm == "xyz.com" } realm xyz.com { type = radius authhost = 123.123.123.2:1812 accthost = 123.123.123.2:1813 secret = password nostrip } } Got error while startup the freeradius Error: /etc/freeradius/sites-enabled/default[212]: ERROR: No value given for attribute { Error: /etc/freeradius/sites-enabled/default[211]: Failed to parse "update" subsection. Error: /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. What is my mistake? Thanks KH ----- Original Message ---- From: Alan Buxey <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Fri, December 18, 2009 4:22:39 AM Subject: Re: proxy same realm but different authentication protocol to different server Hi,
Am I possible to do these?
1. proxy realm xyz.com (PAP/CHAP) to server#1
2. proxy realm xyz.com (PEAP) to server#2
yes, in many varied ways.... you could doa check of Auth-Type at the end of the authorise section..and then if realm = xyz.com update the control to proxy to server1 it its PAP or CHAP or if its EAP then proxy it to server2 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
piston wrote:
I've try below at the end of authorize section
if (control:Auth-Type := "EAP") { update control { { Proxy-To-Realm == "xyz.com" } realm xyz.com {
Uh... the "realm" configuration goes into raddb/proxy.conf. It doesn't go into the "authorize" section. Alan DeKok.
Hi do u mean at proxy.conf realm xyz.com { type = radius authhost = 123.123.123.1:1812 accthost = 123.123.123.1:1813 secret = password nostrip } realm xyz.com { type = radius authhost = 123.123.123.2:1812 accthost = 123.123.123.2:1813 secret = password nostrip } then at"authorize" section if (control:Auth-Type := "EAP") { update control { { Proxy-To-Realm == "xyz.com" } if (control:Auth-Type := "PAP") { update control { { Proxy-To-Realm == "xyz.com" } ??? sound no logic, i'm really confuse right now. thanks ----- Original Message ---- From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Fri, January 29, 2010 12:38:25 AM Subject: Re: proxy same realm but different authentication protocol to different server piston wrote:
I've try below at the end of authorize section
if (control:Auth-Type := "EAP") { update control { { Proxy-To-Realm == "xyz.com" } realm xyz.com {
Uh... the "realm" configuration goes into raddb/proxy.conf. It doesn't go into the "authorize" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
piston wrote:
do u mean at proxy.conf
No. I mean *read* the documentation in proxy.conf. Setting up the same realm with 2 different IP's has a different meaning. It will NOT do what you want.
??? sound no logic, i'm really confuse right now.
You think the server works the way you want. It doesn't. It works the way it's documented. For two different proxy destinations, set up two different realms. Alan DeKok.
Due some limitation, my partner is using two different server to handle different auth-type (PAP / EAP), said server1 only take PAP cannot handle EAP, server 2 take EAP cannot handle PAP. But their user (realm xyz.com), login at my location maybe authenticate by PAP or EAP, depending what kind of services they're selected. My challenge is how to proxy the same realm to two different server depending on the auth-type. ----- Original Message ---- From: Alan Buxey <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Fri, January 29, 2010 5:52:11 AM Subject: Re: proxy same realm but different authentication protocol to different server Hi,
Hi
do u mean at proxy.conf
yes - but for 2 servers, you want to use the server pool method (with 2.1.x)
then at"authorize" section
yep alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
piston <pistonic@yahoo.com> writes:
Due some limitation, my partner is using two different server to handle different auth-type (PAP / EAP), said server1 only take PAP cannot handle EAP, server 2 take EAP cannot handle PAP.
But their user (realm xyz.com), login at my location maybe authenticate by PAP or EAP, depending what kind of services they're selected.
My challenge is how to proxy the same realm to two different server depending on the auth-type.
I think you are missing the fact that you can call the realms whatever you want when you are using Proxy-To-Realm, completely independent of the actual user names you are using. So you can have realm eap.xyz.com { .. } realm pap.xyz.com { .. } in proxy.conf and then do update { Proxy-To-Realm := eap.xyz.com } or update { Proxy-To-Realm := pap.xyz.com } as appropriate. Or maybe just let one of them be the default, defining the xyz.com realm and only update the requests matching the other type. Bjørn
piston wrote:
Due some limitation, my partner is using two different server to handle different auth-type (PAP / EAP), said server1 only take PAP cannot handle EAP, server 2 take EAP cannot handle PAP.
But their user (realm xyz.com), login at my location maybe authenticate by PAP or EAP, depending what kind of services they're selected.
Yes...
My challenge is how to proxy the same realm to two different server depending on the auth-type.
Define two realms: PAP.xyc.com, and EAP.xyz.com. These should have the server IPs and secrets for the relevant servers. Then, define a realm xyz.com: realm xyz.com { # NOTHING } In "authorize", *after* the "realms" module, do: if (Realm == "xyz.com") { if (EAP-Message) { update control { Proxy-To-Realm := "EAP.xyz.com" } } else { update control { Proxy-To-Realm := "PAP.xyz.com" } } }
On 27/01/2010 09:39, piston wrote:
I've try below at the end of authorize section
if (control:Auth-Type := "EAP") { update control { { Proxy-To-Realm == "xyz.com" }
Your operators and nesting are wrong above... if (control:Auth-Type == "EAP") { update control { Proxy-To-Realm := "xyz.com" } } -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net --
participants (5)
-
Alan Buxey -
Alan DeKok -
Bjørn Mork -
James J J Hooper -
piston