Adding proxying to our EAP setup
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 11 01:24:36 CEST 2006
Dave Mussulman wrote:
> The catch I ran into involved the mschap section not authenticating off
> the User-Password in the users file if I had ntlm_auth line configured.
> This is my test system, and I don't have samba/winbindd configured so
> those attempts always failed, but it never seemed to fall back to
> figuring out itself. That made troubleshooting difficult when I
> couldn't get the simple users file entry to work. Commenting out the
> ntlm_auth line did the trick. I haven't changed anything on our
> production servers, but it must do things differently as we have
> ntlm_auth configured and authenticating from the AD or a sql database
> with local passwords. Maybe FreeRADIUS handles different ntlm_auth
> failures differently (cannot bind versus bad user password?)
You need something like this:
alocaluser User-Password := "astring", MS-CHAP-Use-NTLM-Auth := 0
...which lets you use ntlm_auth for some users, but override it on a
case-by-case basis.
> Until the upstream server gets the functionality I'm looking for, there
> were a few possible future issues I wanted to document before I lost
> them. If I set copy_request_to_tunnel in peap to yes, my NAS-IP-Address
> == 127.0.0.1 trick doesn't work. I was also concerned that proxying
Hmm. Yes, that would occur, and in many cases copy_request_to_tunnel is
highly desirable. Not sure how to handle that.
> seems to keep the NAS-IP-Address set to 127.0.0.1, and I didn't know if
> the upstream provider would be concerned about that. I put a setting in
> the preproxy_users file to set that to an allowed NAS IP, but didn't get
> to fully test/confirm that worked.
Yes again. Hmm. Not really optimal - the ideal situation would be
copy_request_to_tunnel to give the original NAS IPs/ports/etc. to the
upstream server, but as you say that breaks the match for the inner eap.
I guess inner/outer should really be a FreeRadius internal attribute.
From the look of the code however, fake requests will have
Client-IP-Address set to 127.0.0.1 by the "preprocess" module, and
that's a FreeRadius internal/not-on-the-wire attribute - you should be
able to replace matching on NAS-IP-Address with Client-IP-Address and
set copy_request_to_tunnel and all would be well
>
> Thanks again for the help, and great product!
>
> Dave
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list