FreeRADIUS and RSA RADIUS Server

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Feb 5 16:07:10 CET 2008 

Jakub Morávek wrote:
> Firs of all thanks for your reply. I'll try to be more specific.
>
> On Feb 5, 2008 2:58 PM, Alan DeKok <aland at deployingradius.com 
> <mailto:aland at deployingradius.com>> wrote:
>
>     Jakub Morávek wrote:
>     >    I have not many experiences with radius, so my question may be
>     > stupid. Has anybody experience with using freeradius (Version
>     1.1.3 in
>     > Debian Sarge) as proxy for RSA RADIUS Server included in RSA
>     > Authentication Manager 6.1?
>
>      Many people have tried this.  It works.
>
>
> I know, but I did not find anyone who discussed this problem.
>  
>
>
>
>     > When authentication request goest through freeradius proxy, RSA
>     Manager
>     > thinks that Agent host is my freeradius proxy instead of
>     original host
>     > which sent authenticate request.
>
>      I don't know what an "Agent host" is.  FreeRADIUS *is* a RADIUS
>     client
>      to the RSA manager.
>
>
> In RSA terminology "Agent hosts" is host which sends authetication 
> request.
>
> For example, if you want to setup "ssh-server" to authenticate ssh 
> login against RSA, you have to add "ssh-server" (name and it's ip 
> address) into RSA  database and setup list of users, which are allowed 
> to log into "ssh-server".
> If "user1" tries to access "ssh-server", "ssh-server" sends 
> authentication request to RSA.
> RSA looks into database if "user1" is allowed to log into "ssh-server" 
> host.
>
> In my case RSA rejects "user1" access, because RSA thikns, that 
> "user1" wants to log into "freeradius" and there is no "freeradius" 
> Agent host defined in RSA database.
>  
>
>
>     > Does this mean, that freeradius process all attributes from
>     > pre-proxy-detail-20080204 log, but sends only attributes, which are
>     > shown in extended debug mode? If so, can anybody give me any
>     advice how
>     > can I configure freeradius to send more attributes?
>
>      To do... what?
>
>
> My idea is that freeradius does not send Client-IP-Address attribute 
> and therefore RSA RADIUS determines that original host is freeradius 
> proxy server.
>
Erm no, your wrong 'Client-IP-Address' in an internal FreeRADIUS 
attribute. If it was sent the Funk RADIUS server wouldn't understand 
it... but it's not sent as all FR internal attributes are filtered out.

The RSA Funk Sever determines Agent Host identity from the UDP Packet 
Header, not any of the attributes inside the RADIUS Packet. It could in 
theory use NAS-IP-Address as an identifier, but I doubt it does.
>
>
>
>      Alan DeKok.
>     -
>     List info/subscribe/unsubscribe? See
>     http://www.freeradius.org/list/users.html 
>
>
>    Jakub
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list