User and EAP authentication
Hi, i am using freeradius 3.0.12+dfsg-5+deb9u1 on a debian 9 server. I confiured two virutal servers, one for X802.1 network authentication (name: inner-tunnel), another virtual server with PAP username/password authentication (name: keycloak). Every incoming request should processed by the virtual_server "keycloak-auth", except all X802.1 request should be processed to the virtual_server "inner-tunnel". But all requests, also the X802.1 requests, are processed by the virtual_server keycloak. If i unterstand it correctly, the eap module should send all EAP requests to the inner-tunnel, but this in not working :-( ... Only if i send all requests to the inner-tunnel virtual-server, then X802.1 auth is working How can i fix the issue? My listen configuration:
listen { type = auth ipaddr = * port = 0 virtual_server = keycloak } listen { type = acct ipaddr = * ipv6addr = :: port = 0 virtual_server = keycloak }
My keycloak size:
server keycloak { authorize { files filter_username filter_password preprocess expiration logintime keycloak } authenticate { Auth-Type keycloak { keycloak } Auth-Type pap { pap } } ... ...
Thanks!
On Mar 18, 2020, at 11:18 AM, Thomas Manninger <DBGTMaster@gmx.at> wrote
I confiured two virutal servers, one for X802.1 network authentication
(name: inner-tunnel), another virtual server with PAP username/password authentication (name: keycloak).
Every incoming request should processed by the virtual_server "keycloak-auth", except all X802.1 request should be processed to the virtual_server "inner-tunnel".
That’s not how virtual servers work. The listen section has no configuration which tells the server to do that.
But all requests, also the X802.1 requests, are processed by the virtual_server keycloak.
Yes, that’s how virtual server work.
If i unterstand it correctly, the eap module should send all EAP requests to the inner-tunnel, but this in not working :-( ...
No, the eap module will send “inner” authentication data to the inner-tunnel virtual server. But the eap module still has to run in a separate virtual server. The default examples and comments explain this fairly well.
Only if i send all requests to the inner-tunnel virtual-server, then X802.1 auth is working
How can i fix the issue?
Configure the server correctly. Add the eap module to the “outer” virtual server. The default configuration does this for a reason. There’s no documentation which says that the “listen” sections work like you want.
My listen configuration:
listen { type = auth ipaddr = * port = 0 virtual_server = keycloak }
There’s no magic there which says “run eap through a different virtual server”
participants (2)
-
Alan DeKok -
Thomas Manninger