Proxying based on SSID

Lai Fu Keung LFK at cc.hku.hk
Wed Jan 24 07:21:59 CET 2007 

Hi,

Sorry if the questions have been asked. I have done a lot of searches,
but could not find the answer.

Normally, I proxy a PEAP request whenever the realm is unknown to us
(i.e. using the DEFAULT realm without stripping user name). However, for
some SSIDs, I want requests to be handled locally with ldap, independent
of what the realm is (and with the user name stripped). What I did is to
find those SSIDs in "Called-Station-ID" and
set proxy-to-realm to a local realm.

But the problem (I guess) is that when freeradius processes the realm
file, the user name is not stripped. When later on processed by the
local realm, the request fails because the user name still contains the
domain.

Any suggestions to solve it is appreciated. Thanks in advance.

Best Regards,
Lai

Users
=====
DEFAULT NAS-Port-Type == "Wireless-802.11", Called-Station-Id =~
"MY-SSID$", St
rip-User-Name := Yes, Autz-Type := usePlainTextPwd, Proxy-to-realm :=
"hku.hk"

DEFAULT NAS-Port-Type == "Wireless-802.11", Autz-Type := usePlainTextPwd

Radiusd -X
=========
rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136,
length=152
        NAS-Port-Id = "2098/1"
        Calling-Station-Id = "00-18-DE-83-3E-1B"
        Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap"
        Service-Type = Framed-User
        EAP-Message = 0x02010012017063637732406173642e636f6d
        User-Name = "pcw2 at asd.com"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 17.18.28.26
        Message-Authenticator = 0x46e6da4a3ad7d253157a9f21a110807b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: Looking up realm "asd.com" for User-Name = "pcw2 at asd.com"
    rlm_realm: Found realm "DEFAULT"
    rlm_realm: Proxying request from user pcw2 to realm DEFAULT
    rlm_realm: Adding Realm = "DEFAULT"
    rlm_realm: Preparing to proxy authentication request to realm
"DEFAULT"
  modcall[authorize]: module "suffix" returns updated for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    users: Matched entry DEFAULT at line 171
    users: Matched entry DEFAULT at line 244
  modcall[authorize]: module "files" returns ok for request 0
  rlm_eap: EAP packet type response id 1 length 18
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
modcall: leaving group authorize (returns updated) for request 0
  Found Autz-Type usePlainTextPwd
  Processing the authorize section of radiusd.conf
modcall: entering group usePlainTextPwd for request 0
modcall: entering group redundant  for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for pcw2 at asd.com
radius_xlat:  '(&(uid=pcw2 at asd.com)))'
radius_xlat:  'ou=ldap,o=hku,c=hk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.hku.hk:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=ldap,o=hku,c=hk, with filter
(&(uid=pcw2 at asd.com))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "withNTPwd" returns notfound for request 0
modcall: leaving group redundant  (returns notfound) for request 0
modcall: leaving group usePlainTextPwd (returns notfound) for request 0
  WARNING: You set Proxy-To-Realm = hku.hk, but it is a LOCAL realm!
Cancelling
 invalid proxy request.
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
 WARNING: Cancelling proxy to Realm hku.hk, as the realm is local.
Sending Access-Challenge of id 136 to 17.18.28.26 port 20002
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xfd7f032f1c3ed7e8e39bf1872727e771
Finished request 0
Going to the next request

More information about the Freeradius-Users mailing list