Terminate EAP-PEAP client connection at FreeRadius Proxy and proxy(forward) request as PAP

Jayal1972 joakim.lindgren at gmail.com
Sat Feb 2 02:48:22 CET 2008


Sorry, got it wrong in last post, read this one instead:

>DEFAULT           EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1,
Proxy-To-Realm := LOCAL

End all EAP-TTLS connections at proxy.
If not SECURACCESS domain: check Username against LDAP.
(If possible to order. Do NOT check SECURACCESS domain against LDAP 

>SECURACCESS    FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP,
Proxy-To-Realm := >"SECURACCESS"

All users found with SECURACCESS domain in name i.e. "anyname at SECURACCESS".
Proxy them with PAP authentication to "SECURACCCESS" domain IP address
mentioned in proxy.conf. 

>Fall-Through := No

If SECURACCESS domain found in User-Name "anyname at SECURACCESS" stop after
proxying.

So I want to END all EAP tunnels at proxy for ALL domains. Authenticate with
LDAP except for SECURACCESS domain. IF SECURACCESS domain found, proxy only
PAP further (to IP address mentioned in proxy.conf).



>Fri Feb  1 18:48:37 2008 : Debug: Listening on accounting *:1813
>Fri Feb  1 18:48:37 2008 : Debug: Listening on proxy *:1814
>Fri Feb  1 18:48:37 2008 : Info: Ready to process requests.
>rad_recv: Access-Request packet from host 192.168.1.150:32797, id=161,

...

>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Looking up realm
>"SECURACCESS" for User-Name = "joakimlindgren at SECURACCESS"
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Found realm "SECURACCESS"

So here we found SECURACCESS domain name in User-Name:

>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Stripped-User-Name
= "joakimlindgren"
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Proxying request from user
joakimlindgren to realm >SECURACCESS
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Realm =
"SECURACCESS"
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Preparing to proxy
authentication request to realm >"SECURACCESS"

End all EAP connections.
Because "SECURACCESS" domain name found where proxying the request to ip
address mentioned in proxy.conf.

>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "suffix"
returns updated for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling ntdomain
(rlm_realm) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Request already proxied.
Ignoring.
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
ntdomain (rlm_realm) for request >0
>Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "ntdomain"
returns noop for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   rlm_eap: Request is supposed to be
proxied to Realm SECURACCESS.  >Not doing EAP.

END EAP Tunnel, do NOT EAP only PAP.

>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from eap
(rlm_eap) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "eap"
returns noop for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling files
(rlm_files) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
files (rlm_files) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "files"
returns notfound for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling ldap
(rlm_ldap) for request 0
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: - authorize
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: performing user authorization
for joakimlindgren

Here it authorizes against LDAP , What I want to do for SECUREACCESS domain
is to NOT authorize against LDAP. All OTHER domains will authorize LDAP...
(how do I accomplish this?)


>Fri Feb  1 18:49:26 2008 : Debug: radius_xlat:  '(uid=joakimlindgren)'
>Fri Feb  1 18:49:26 2008 : Debug: radius_xlat:  'o=Contonso'
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: attempting LDAP reconnection
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: (re)connect to
192.168.1.71:389, authentication 0
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: setting TLS CACert File to
>/etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: starting TLS
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: bind as
cn=admin,o=Contonso/toor to 192.168.1.71:389
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: waiting for bind result ...
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: Bind was successful
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: performing search in
o=Contonso, with filter >(uid=joakimlindgren)
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: Added the eDirectory password
in check items
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: looking for check items in
directory...
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: looking for reply items in
directory...
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: user joakimlindgren authorized
to use remote access
>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id:
0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
ldap (rlm_ldap) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "ldap"
returns ok for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling pap
(rlm_pap) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from pap
(rlm_pap) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "pap"
returns noop for request 0

I want to only authorize (and authenticate) PAP (for SECURACCESS), IF other
domain (authorize and authenticate) against LDAP...

>Fri Feb  1 18:49:26 2008 : Debug: modcall: leaving group authorize (returns
updated) for request 0
>Fri Feb  1 18:49:26 2008 : Debug:  proxy: creating 4b01a8c0:1812
>Fri Feb  1 18:49:26 2008 : Debug:  proxy: allocating 4b01a8c0:1812 0

// Thanks




Jayal1972 wrote:
> 
> Hi again, I probably have to explain what I want to accomplish in detail,
> what I´m aiming for is this:
> In users file:
> 
>>DEFAULT           EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1,
Proxy-To-Realm := LOCAL
> 
> End all EAP-TTLS connections at proxy.
> If not SECURACCESS domain: check Username against LDAP.
> (If possible to order. Do NOT check SECURACCESS domain against LDAP 
> 
>>SECURACCESS    FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP,
Proxy-To-Realm := >"SECURACCESS"
> 
> All users found with SECURACCESS domain in name i.e.
> "anyname at SECURACCESS". Proxy them with PAP authentication to
> "SECURACCCESS" domain IP address mentioned in proxy.conf. 
> 
>>Fall-Through := No
> 
> If SECURACCESS domain found in User-Name "anyname at SECURACCESS" stop after
> proxying.
> 
> So I want to END all EAP tunnels at proxy for ALL domains. Authenticate
> with LDAP except for SECURACCESS domain. IF SECURACCESS domain found,
> proxy only PAP further (to IP address mentioned in proxy.conf).
> 
>>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling suffix
(rlm_realm) for request 0
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Looking up realm
"SECURACCESS" for User-Name = >"joakimlindgren at SECURACCESS"
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Found realm "SECURACCESS"
> 
> So here we found SECURACCESS domain name in User-Name:
> 
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Stripped-User-Name
= "joakimlindgren"
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Proxying request from
user joakimlindgren to realm >SECURACCESS
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Realm =
"SECURACCESS"
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Preparing to proxy
authentication request to realm "SECURACCESS"
> 
> Where proxying the request to ip address mentioned in proxy.conf (but here
> we don´t end the EAP?)
> 
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
> suffix (rlm_realm) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "suffix"
> returns updated for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling ntdomain
> (rlm_realm) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Request already proxied. 
> Ignoring.
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
> ntdomain (rlm_realm) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "ntdomain"
> returns noop for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling eap
> (rlm_eap) for request 0
> 
> What I want: END EAP Tunnel, do NOT EAP only PAP.
> 
> Fri Feb  1 18:49:26 2008 : Debug:   rlm_eap: Request is supposed to be
> proxied to Realm SECURACCESS.  
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
> eap (rlm_eap) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "eap"
> returns noop for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling files
> (rlm_files) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
> files (rlm_files) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "files"
> returns notfound for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling ldap
> (rlm_ldap) for request 0
> Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: - authorize
> Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: performing user authorization
> for joakimlindgren
> Fri Feb  1 18:49:26 2008 : Debug: radius_xlat:  '(uid=joakimlindgren)'
> Fri Feb  1 18:49:26 2008 : Debug: radius_xlat:  'o=Contonso'
>>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
>>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
>>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: attempting LDAP reconnection
>>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: (re)connect to
192.168.1.71:389, authentication 0
>>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: Bind was successful
> 
> Here it authenticates, What I want to do for SECUREACCESS domain is to NOT
> authenticate against LDAP.
> All OTHER domains will LDAP... (how do I accomplish this?)
> 
>>Fri Feb  1 18:49:26 2008 : Debug: rlm_ldap: performing search in
o=Contonso, with filter (uid=joakimlindgren)
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling pap
> (rlm_pap) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: returned from
> pap (rlm_pap) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:   modcall[authorize]: module "pap"
> returns noop for request 0
> 
> I want to only do PAP (for SECURACCESS), IF other domain check against
> LDAP...
> 
> Fri Feb  1 18:49:26 2008 : Debug: modcall: leaving group authorize
> (returns updated) for request 0
> Fri Feb  1 18:49:26 2008 : Debug:  proxy: creating 4b01a8c0:1812
> Fri Feb  1 18:49:26 2008 : Debug:  proxy: allocating 4b01a8c0:1812 0
> ...
> 
> // Thanks
> 
> 
> 
> 
> 
> 
> Dmitry Sergienko-2 wrote:
>> 
>> Hi!
>> 
>> Jayal1972 wrote:
>>> Hi again, sorry have read the FAQ ;-) thought that it didn´t needed,
>>> sorry.
>> 
>>> Sending Access-Request of id 0 to 192.168.1.75 port 1812
>>> Re-sending Access-Request of id 0 to 192.168.1.75 port 1812
>>> Re-sending Access-Request of id 0 to 192.168.1.75 port 1812
>> 
>>> Fri Feb  1 18:49:42 2008 : Proxy: marking authentication server
>>> 192.168.1.75:1812 for realm SECURACCESS dead
>> 
>> Your proxy server does not respond.
>> Please check if your proxy server accepts connections, no traffic
>> filtered and proxy really processes requests from 
>> FreeRADIUS server. Replies should reach FreeRADIUS also.
>> 
>> -- 
>> Best wishes,
>> Dmitry Sergienko (SDA104-RIPE)
>> Trifle Co., Ltd.
>> 
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Terminate-EAP-PEAP-client-connection-at-FreeRadius-Proxy-and-proxy%28forward%29-request-as-PAP-tp15218593p15238687.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.





More information about the Freeradius-Users mailing list