Configuring a proxied and local authentication
Hello. Fist, I would like to apologize if my question is really too simple, but I think that I don't exactly understand the configuration philosophy of freeradius. I did configure one radius server (A) to proxy incoming requests to an other radius server (B, this later one using pam). First question: I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it... I tried: <username> Proxy-To-Realm := <realm>, NAS-Identifier := <id> and <username> Proxy-To-Realm := <realm>, NAS-Identifier += <id> (i'm using radtest to check my configuration, perhaps it's the problem ?) Second question: How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ? As I said, I'm just perhaps too bad, and did not understand how all this thing works, but please help me anyway :-) Thanks. -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]
Samuel Degrande <Samuel.Degrande@lifl.fr> wrote:
I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it...
That's because the NAS didn't send it. FreeRADIUS doesn't add one, so...
I tried: <username> Proxy-To-Realm := <realm>, NAS-Identifier := <id> and <username> Proxy-To-Realm := <realm>, NAS-Identifier += <id>
That won't work in the "users" file. You have to set the NAS-Identifier in the preproxy_users file.
How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ?
That's a little harder. The server isn't designed to do that easily. Alan DeKok.
Alan DeKok wrote:
Samuel Degrande <Samuel.Degrande@lifl.fr> wrote:
I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it...
That's because the NAS didn't send it. FreeRADIUS doesn't add one, so...
I tried: <username> Proxy-To-Realm := <realm>, NAS-Identifier := <id> and <username> Proxy-To-Realm := <realm>, NAS-Identifier += <id>
That won't work in the "users" file. You have to set the NAS-Identifier in the preproxy_users file.
works just fine. thanks a lot !
How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ?
That's a little harder. The server isn't designed to do that easily.
arghhh... but even if it's not easy, is there a solution ? :-) I did think of a hack, but it's not really a good solution I guess : - use a pam authentication, and - write a specific pam_radius module which will first request the remote radius server and then search in the local user base...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]
I did configure one radius server (A) to proxy incoming requests to an other radius server (B, this later one using pam).
First question: I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it...
preproxy_users will do this for you.
How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ?
Not sure on that one, will have to defer to someone else.
participants (3)
-
Alan DeKok -
Dusty Doris -
Samuel Degrande