can you internally proxy a request more than once?
Brian Julin
BJulin at clarku.edu
Fri Mar 23 17:02:46 CET 2012
Not sure, but you should consider running non-virtual instances
(not that hard to do) and using privilage separation such that
there is little potential for exposure of your internal authentication
structure or internally-utilized crypto material to an externally
presented service.
Also, it is possible to get your local users to have local privileges
when using their eduroam-formatted credentials on the eduroam
SSID, just a bit tricky.
Here we run 4 instances for eduroam, two for IDP and two for SP
(one each 3.0 radsec proxy/filter and one 2.x internal.) Only the internal
sessions have any interaction with LDAP/SQL/AD.
________________________________
From: freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org] On Behalf Of mark.leese at stfc.ac.uk
Sent: Friday, March 23, 2012 10:13 AM
To: freeradius-users at lists.freeradius.org
Subject: can you internally proxy a request more than once?
Hi,
I have been using FreeRADIUS to authenticate visitors onto a wireless network using LDAP against Active Directory. I now need to also deploy eduroam.
I thought it would be sensible to do this as two separate virtual servers, so I created a new minimal 'default' server that proxies to a 'visitors' or 'eduroam' virtual server based on the wireless SSID, which the wireless NAS adds to an attribute in the Access-Request. The default server sets the Proxy-To-Realm attribute in the list of control items. The Realm then maps to a home_server in proxy.conf which has an associated virtual server e.g.
home_server virtual_server_for_eduroam {
type =auth+acct
virtual_server = eduroam
}
home_server_pool virtual_server_for_eduroam_pool {
home_server = virtual_server_for_eduroam
}
realm EDUROAM_VIRTUAL_SERVER {
pool = virtual_server_for_eduroam_pool
}
The 'visitors' virtual server works fine.
The 'eduroam' virtual server proxies the Access-Request to LOCAL or our National RADIUS Proxy Servers depending on whether the realm in the User-Name attribute is our realm or not. Local authentications are performed against Active Directory, and so we are using PEAP-MS-CHAPv2. For local authentications the inner MS-CHAPv2 authentications are proxied to the 'inner-tunnel' virtual server.
If (for testing) I configure clients.conf so that Access-Requests from the wireless NAS are always sent to the 'eduroam' virtual server, then it works fine. The 'eduroam' virtual server doesn't work if it is called from the new 'default' server using internal proxying. In that case I get an error saying "Multiple levels of TLS nesting is invalid".
I'm running FreeRADIUS 2.1.11.
I may not have provided enough detail, but am I doing something that obviously won't work? I don't know if it's possible to internally proxy a request more than once, e.g. to two different virtual servers. If it isn't possible, do I have any other options? Would a solution be to make the virtual servers listen on two different IP addresses, and configure the NAS to use a different RADIUS server IP address for each SSID? Alternatively, could the NAS continue to send all RADIUS packets to one IP address, and the default server proxy to virtual servers listening on different IP addresses?
Thanks in advance of any help you can give,
Have a good weekend,
Mark.
--
Scanned by iCritical.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120323/01a02401/attachment-0001.html>
More information about the Freeradius-Users
mailing list