Proxy configuration question
Hello, I have a rudimentary proxy configuration question: I am doing some testing with a Freeradius server in the lab and the setup looks as follows: [Host] --WiFi--- [AP]---[Wireless Cntrlr]-----------[AAA/Freeradius server] Using EAP-TTLS for authentication. My wpa_supplicant config file looks like: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin network={ ssid="mySSID" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS anonymous_identity="anonymous@example.com" ca_cert="/home/testuser/Downloads/ca.pem" phase2="autheap=PAP" identity="daniel" password="daniel" } The RADIUS server gets the Access request and then tries to proxy it to example.com. I dont want the request or authentication to be proxied elsewhere. The authentication needs to happen on the local RADIUS server itself. What am I missing in the config? The server and client certs are all there in /etc/raddb/certs directory. Below is a snippet of the logs that I am seeing on the RADIUS server: Tue Feb 26 17:29:43 2013 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.8 port 34438, id=117, length=234 User-Name = "anonymous@example.com" Calling-Station-Id = "00-03-7F-10-51-82" NAS-IP-Address = 192.168.0.8 NAS-Port = 34 Called-Station-Id = "8C-0C-90-15-D1-9C:mySSID" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "8C-0C-90-15-D1-9C" Connect-Info = "CONNECT 802.11a/n" EAP-Message = 0x0201001a01616e6f6e796d6f7573406578616d706c652e636f6d Vendor-25053-Attr-3 = 0x5275636b7573576972656c65737332 Message-Authenticator = 0xfdf3d6097b64d1237a34e27dd120bfec Tue Feb 26 17:29:43 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Tue Feb 26 17:29:43 2013 : Info: +- entering group authorize {...} Tue Feb 26 17:29:43 2013 : Info: ++[preprocess] returns ok Tue Feb 26 17:29:43 2013 : Info: ++[chap] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[mschap] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[digest] returns noop Tue Feb 26 17:29:43 2013 : Info: [suffix] Looking up realm "example.com" for User-Name = "anonymous@example.com" Tue Feb 26 17:29:43 2013 : Info: [suffix] Found realm "example.com" Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Stripped-User-Name = "anonymous" Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Realm = "example.com" Tue Feb 26 17:29:43 2013 : Info: [suffix] Proxying request from user anonymous to realm example.com Tue Feb 26 17:29:43 2013 : Info: [suffix] Preparing to proxy authentication request to realm "example.com" Tue Feb 26 17:29:43 2013 : Info: ++[suffix] returns updated Tue Feb 26 17:29:43 2013 : Info: [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. Tue Feb 26 17:29:43 2013 : Info: ++[eap] returns noop Tue Feb 26 17:29:43 2013 : Info: [files] users: Matched entry anonymous at line 207 Tue Feb 26 17:29:43 2013 : Info: ++[files] returns ok Tue Feb 26 17:29:43 2013 : Info: ++[expiration] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[logintime] returns noop Tue Feb 26 17:29:43 2013 : Info: ++[pap] returns noop Tue Feb 26 17:29:43 2013 : Info: WARNING: Empty pre-proxy section. Using default return values. Any help appreciated. -BPa
On 27/02/13 14:46, bpatil@ovi.com wrote:
The RADIUS server gets the Access request and then tries to proxy it to example.com. I dont want the request or authentication to be proxied elsewhere. The authentication needs to happen on the local RADIUS server itself. What am I missing in the config?
If you don't want to proxy the request, don't configure the server to proxy. In you case, you should remove the "suffix" module from "authorize" and/or remove the "example.com" realm from the "proxy.conf"
Thanks Phil. Just a quick add-on question. In radiusd.conf there is : # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE proxy.conf Would switching off proxy, be sufficient? Or will I end up with other issues? -BPa
________________________________ From: Phil Mayers <p.mayers@imperial.ac.uk> To: freeradius-users@lists.freeradius.org Sent: Wednesday, February 27, 2013 9:10 AM Subject: Re: Proxy configuration question
On 27/02/13 14:46, bpatil@ovi.com wrote:
The RADIUS server gets the Access request and then tries to proxy it to example.com. I dont want the request or authentication to be proxied elsewhere. The authentication needs to happen on the local RADIUS server itself. What am I missing in the config?
If you don't want to proxy the request, don't configure the server to proxy.
In you case, you should remove the "suffix" module from "authorize" and/or remove the "example.com" realm from the "proxy.conf" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 27/02/13 17:23, bpatil@ovi.com wrote:
Thanks Phil. Just a quick add-on question.
In radiusd.conf there is :
# To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE proxy.conf
Would switching off proxy, be sufficient? Or will I end up with other issues?
TBH I can't remember the various effects. Try it and see.
participants (2)
-
bpatil@ovi.com -
Phil Mayers