FreeRadius going through ISA to reach federation

Rui Ribeiro ruyrybeyro at gmail.com
Sun Dec 18 02:09:18 CET 2011


>
> Message: 5
> Date: Sat, 17 Dec 2011 10:51:42 +0000
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: FreeRadius going through ISA to reach federation
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4EEC743E.5000606 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 12/16/2011 09:20 PM, Rui Ribeiro wrote:
>
>>> Eh? Who suggested that?
>> Another freeradius<->IAS thread in this list.
>
> Well, it's not a very useful suggestion in this instance. Setting
> Reply-Message won't magically make something work. Perhaps the original
> thread had some context that explains why the person thought it was
> useful at that juncture.
>
Indeed. I have taken it away.


>>>
>>> That's not an error; it's just a radius attribute.
>>>
>> In the debug logs, I have:
>> ad_recv: Access-Reject packet from host 10.10.66.18 port 1812, id=251,
>> length=24
>> Proxy-State = 0x3137
>>
>
> Yes, I know. What I'm trying to tell you is that "Proxy-State" is just a
> radius attribute related to proxying. It would be present in any packet,
> accept, challenge or reject, from the upstream server.
>
Indeed, I understood it after getting it to work.

> Ignore the Proxy-State. What matters is that the "code" is
> Access-Reject. The upstream server either rejected the packet itself, or
> forwarded a reject from the wider eduroam proxy hierarchy.
>
>>
>>>>
>>>> Any advice?
>>>
>>> You will need to debug this on the IAS server, since it is sending (or
>>> proxying) the reject. My guess is the policies in IAS are wrong.
>>>

They needed indeed to be modified. I thought a policy I defined was
enough, but the default  wizard policies didn't work, had to create a
custom policy by hand, and create a new attribute allowing the
roaming. It is working fairly well now; so I thanks everyone that
suggested me to look better at IAS, and particularly to you Phil, for
the nice offer of help off the list.

Since authentication to normal users and roaming to federation was
solved, I am already tagging VLANs according to if people are
teachers, students or roaming, but will have to test it better in an
AP Monday.

Best regards,
Rui Ribeiro



More information about the Freeradius-Users mailing list