802.1x host/machine authentication
Chidanand Gangur
chidanand.gangur at gmail.com
Thu Oct 21 11:54:40 CEST 2010
Thanks Phil, thanks a lot
It worked. I have multiple home servers configured so I am using your
logic like this
if ("%{User-Name}"=~ /^host\/.*testad1.com$/) {
update control {
Proxy-To-Realm := "testad1.com"
}
}
elsif ("%{User-Name}"=~ /^host\/.*si-test.dssc.com$/) {
update control {
Proxy-To-Realm := "si-test.dssc.com"
}
}
Thanks,
Chidanand
On Thu, Oct 21, 2010 at 1:52 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 10/21/2010 08:55 AM, Chidanand Gangur wrote:
>>
>> I have collected logs for full session of host authentication, log is
>> pasted below.
>>
>> As mentioned in my previous mail I just want to proxy the host
>> authentication request to the home server, is it possible?
>
> You didn't mention that in your original email.
>
> As I've said - the "host/foo" syntax is NOT an IPASS username. It may have
> the same format, but you do not want to process it using that realm.
>
> If you want to proxy these requests, I would recommend doing the following:
>
> 1. Define the realm you are proxying to in "proxy.conf"
> 2. In "authorize", do the following:
>
> authorize {
> ... # N.B do not have the "IPASS", "suffix" or "ntdomain"
> ... # modules before this point, they'll confuse things
>
> if (User-Name =~ /^host\//) {
> update control {
> Proxy-To-Realm := THEREALM
> }
> }
> ...
> }
>
> ...then FreeRadius will do the right thing.
>
> Out of interest, why do you want to proxy them? You are presumably aware
> that FreeRadius can, if correctly setup, perform the machine authentication
> itself?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Chidanand Gangur
Pune.
More information about the Freeradius-Users
mailing list