Terminate EAP-PEAP client connection at FreeRadius Proxy andproxy(forward) request as PAP

Ivan Kalik tnt at kalik.net
Sat Feb 2 02:49:56 CET 2008


>All users found with SECURACCESS domain in name i.e. "anyname at SECURACCESS".
>Proxy them with PAP authentication to "SECURACCCESS" domain IP address
>mentioned in proxy.conf. 
>
>>Fall-Through := No
>
>If SECURACCESS domain found in User-Name "anyname at SECURACCESS" stop after
>proxying.
>
>So I want to END all EAP tunnels at proxy for ALL domains. Authenticate with
>LDAP except for SECURACCESS domain. IF SECURACCESS domain found, proxy only
>PAP further (to IP address mentioned in proxy.conf).
>
>>Fri Feb  1 18:49:26 2008 : Debug:   modsingle[authorize]: calling suffix
>(rlm_realm) for request 0
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Looking up realm
>"SECURACCESS" for User-Name = >"joakimlindgren at SECURACCESS"
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Found realm "SECURACCESS"
>
>So here we found SECURACCESS domain name in User-Name:
>
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Stripped-User-Name
>= "joakimlindgren"
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Proxying request from user
>joakimlindgren to realm >SECURACCESS
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Adding Realm =
>"SECURACCESS"
>>Fri Feb  1 18:49:26 2008 : Debug:     rlm_realm: Preparing to proxy
>authentication request to realm "SECURACCESS"
>
>Where proxying the request to ip address mentioned in proxy.conf (but here
>we don´t end the EAP?)
>

Have different names for a server realm and user domain so you can choose
when to proxy. Leave user as user at SECURACCESS; configure SECURACCESS to
be a LOCAL realm; configure home server realm as SECURE and proxy to
that one.

Again, you should think about 2.0.1 where you can define one virtual
server to deal with @SECURACCESS requests and another for others.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list