Proxying based on SSID
Ana Gallardo Gómez
ana_gallardo_77 at hotmail.com
Wed Jan 24 11:58:32 CET 2007
I think you have to use the attribute "Stripped-User-Name" to authenticate the user.> Date: Wed, 24 Jan 2007 14:21:59 +0800> From: LFK at cc.hku.hk> To: freeradius-users at lists.freeradius.org> Subject: Proxying based on SSID> > Hi,> > Sorry if the questions have been asked. I have done a lot of searches,> but could not find the answer.> > Normally, I proxy a PEAP request whenever the realm is unknown to us> (i.e. using the DEFAULT realm without stripping user name). However, for> some SSIDs, I want requests to be handled locally with ldap, independent> of what the realm is (and with the user name stripped). What I did is to> find those SSIDs in "Called-Station-ID" and> set proxy-to-realm to a local realm.> > But the problem (I guess) is that when freeradius processes the realm> file, the user name is not stripped. When later on processed by the> local realm, the request fails because the user name still contains the> domain.> > Any suggestions to solve it is appreciated. Thanks in advance.> > Best Regards,> Lai> > Users> =====> DEFAULT NAS-Port-Type == "Wireless-802.11", Called-Station-Id =~> "MY-SSID$", St> rip-User-Name := Yes, Autz-Type := usePlainTextPwd, Proxy-to-realm :=> "hku.hk"> > DEFAULT NAS-Port-Type == "Wireless-802.11", Autz-Type := usePlainTextPwd> > Radiusd -X> =========> rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136,> length=152> NAS-Port-Id = "2098/1"> Calling-Station-Id = "00-18-DE-83-3E-1B"> Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap"> Service-Type = Framed-User> EAP-Message = 0x02010012017063637732406173642e636f6d> User-Name = "pcw2 at asd.com"> NAS-Port-Type = Wireless-802.11> NAS-Identifier = "3Com"> NAS-IP-Address = 17.18.28.26> Message-Authenticator = 0x46e6da4a3ad7d253157a9f21a110807b> Processing the authorize section of radiusd.conf> modcall: entering group authorize for request 0> modcall[authorize]: module "preprocess" returns ok for request 0> rlm_realm: Looking up realm "asd.com" for User-Name = "pcw2 at asd.com"> rlm_realm: Found realm "DEFAULT"> rlm_realm: Proxying request from user pcw2 to realm DEFAULT> rlm_realm: Adding Realm = "DEFAULT"> rlm_realm: Preparing to proxy authentication request to realm> "DEFAULT"> modcall[authorize]: module "suffix" returns updated for request 0> modcall[authorize]: module "chap" returns noop for request 0> modcall[authorize]: module "mschap" returns noop for request 0> users: Matched entry DEFAULT at line 171> users: Matched entry DEFAULT at line 244> modcall[authorize]: module "files" returns ok for request 0> rlm_eap: EAP packet type response id 1 length 18> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation> modcall[authorize]: module "eap" returns updated for request 0> modcall: leaving group authorize (returns updated) for request 0> Found Autz-Type usePlainTextPwd> Processing the authorize section of radiusd.conf> modcall: entering group usePlainTextPwd for request 0> modcall: entering group redundant for request 0> rlm_ldap: - authorize> rlm_ldap: performing user authorization for pcw2 at asd.com> radius_xlat: '(&(uid=pcw2 at asd.com)))'> radius_xlat: 'ou=ldap,o=hku,c=hk'> rlm_ldap: ldap_get_conn: Checking Id: 0> rlm_ldap: ldap_get_conn: Got Id: 0> rlm_ldap: attempting LDAP reconnection> rlm_ldap: (re)connect to ldap1.hku.hk:389, authentication 0> rlm_ldap: starting TLS> rlm_ldap: bind as cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389> rlm_ldap: waiting for bind result ...> rlm_ldap: Bind was successful> rlm_ldap: performing search in ou=ldap,o=hku,c=hk, with filter> (&(uid=pcw2 at asd.com))> rlm_ldap: object not found or got ambiguous search result> rlm_ldap: search failed> rlm_ldap: ldap_release_conn: Release Id: 0> modcall[authorize]: module "withNTPwd" returns notfound for request 0> modcall: leaving group redundant (returns notfound) for request 0> modcall: leaving group usePlainTextPwd (returns notfound) for request 0> WARNING: You set Proxy-To-Realm = hku.hk, but it is a LOCAL realm!> Cancelling> invalid proxy request.> rad_check_password: Found Auth-Type EAP> auth: type "EAP"> Processing the authenticate section of radiusd.conf> modcall: entering group authenticate for request 0> rlm_eap: EAP Identity> rlm_eap: processing type tls> rlm_eap_tls: Initiate> rlm_eap_tls: Start returned 1> modcall[authenticate]: module "eap" returns handled for request 0> modcall: leaving group authenticate (returns handled) for request 0> WARNING: Cancelling proxy to Realm hku.hk, as the realm is local.> Sending Access-Challenge of id 136 to 17.18.28.26 port 20002> Framed-IP-Address = 255.255.255.254> Framed-MTU = 576> Service-Type = Framed-User> EAP-Message = 0x010200061920> Message-Authenticator = 0x00000000000000000000000000000000> State = 0xfd7f032f1c3ed7e8e39bf1872727e771> Finished request 0> Going to the next request> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
Consigue el nuevo Windows Live Messenger
http://get.live.com/messenger/overview
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070124/b4eef9d2/attachment.html>
More information about the Freeradius-Users
mailing list