Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP

Jayal1972 joakim.lindgren at gmail.com
Sat Feb 2 02:24:04 CET 2008


Hi again, I probably have to explain what I want to accomplish in detail,
what I´m aiming for is this:
In users file:

>DEFAULT           EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1,
Proxy-To-Realm := LOCAL

End all EAP-TTLS connections at proxy.
If not SECURACCESS domain: check Username against LDAP.
(If possible to order. Do NOT check SECURACCESS domain against LDAP 

>SECURACCESS    FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP,
Proxy-To-Realm := >"SECURACCESS"

All users found with SECURACCESS domain in name i.e. "anyname at SECURACCESS".
Proxy them with PAP authentication to "SECURACCCESS" domain IP address
mentioned in proxy.conf. 

>Fall-Through := No

If SECURACCESS domain found in User-Name "anyname at SECURACCESS" stop after
proxying.

So I want to END all EAP tunnels at proxy for ALL domains. Authenticate with
LDAP except for SECURACCESS domain. IF SECURACCESS domain found, proxy only
PAP further (to IP address mentioned in proxy.conf).

>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling suffix
(rlm_realm) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Looking up realm
"SECURACCESS" for User-Name = >"joakimlindgren at SECURACCESS"
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Found realm "SECURACCESS"

So here we found SECURACCESS domain name in User-Name:

>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Stripped-User-Name
= "joakimlindgren"
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Proxying request from user
joakimlindgren to realm >SECURACCESS
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Realm =
"SECURACCESS"
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Preparing to proxy
authentication request to realm "SECURACCESS"

Where proxying the request to ip address mentioned in proxy.conf (but here
we don´t end the EAP?)

Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "suffix"
returns updated for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling ntdomain
(rlm_realm) for request 0
Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Request already proxied. 
Ignoring.
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
ntdomain (rlm_realm) for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "ntdomain"
returns noop for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 0

What I want: END EAP Tunnel, do NOT EAP only PAP.

Fri Feb  1 18:49:26 2008 : Debug:   rlm_eap: Request is supposed to be
proxied to Realm SECURACCESS.  
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "eap" returns
noop for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling files
(rlm_files) for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
files (rlm_files) for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "files"
returns notfound for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling ldap
(rlm_ldap) for request 0
Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: - authorize
Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: performing user authorization
for joakimlindgren
Fri Feb  1 18:49:26 2008 : Debug: radius_xlat:  '(uid=joakimlindgren)'
Fri Feb  1 18:49:26 2008 : Debug: radius_xlat:  'o=Contonso'
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: attempting LDAP reconnection
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: (re)connect to
192.168.1.71:389, authentication 0
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: Bind was successful

Here it authenticates, What I want to do for SECUREACCESS domain is to NOT
authenticate against LDAP.
All OTHER domains will LDAP... (how do I accomplish this?)

>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: performing search in
o=Contonso, with filter (uid=joakimlindgren)
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling pap
(rlm_pap) for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from pap
(rlm_pap) for request 0
Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "pap" returns
noop for request 0

I want to only do PAP (for SECURACCESS), IF other domain check against
LDAP...

Fri Feb  1 18:49:26 2008 : Debug: modcall: leaving group authorize (returns
updated) for request 0
Fri Feb  1 18:49:26 2008 : Debug:  proxy: creating 4b01a8c0:1812
Fri Feb  1 18:49:26 2008 : Debug:  proxy: allocating 4b01a8c0:1812 0
...

// Thanks






Dmitry Sergienko-2 wrote:
> 
> Hi!
> 
> Jayal1972 wrote:
>> Hi again, sorry have read the FAQ ;-) thought that it didn´t needed,
>> sorry.
> 
>> Sending Access-Request of id 0 to 192.168.1.75 port 1812
>> Re-sending Access-Request of id 0 to 192.168.1.75 port 1812
>> Re-sending Access-Request of id 0 to 192.168.1.75 port 1812
> 
>> Fri Feb  1 18:49:42 2008 : Proxy: marking authentication server
>> 192.168.1.75:1812 for realm SECURACCESS dead
> 
> Your proxy server does not respond.
> Please check if your proxy server accepts connections, no traffic filtered
> and proxy really processes requests from 
> FreeRADIUS server. Replies should reach FreeRADIUS also.
> 
> -- 
> Best wishes,
> Dmitry Sergienko (SDA104-RIPE)
> Trifle Co., Ltd.
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

-- 
View this message in context: http://www.nabble.com/Terminate-EAP-PEAP-client-connection-at-FreeRadius-Proxy-and-proxy%28forward%29-request-as-PAP-tp15218593p15238455.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.





More information about the Freeradius-Users mailing list