Proxy configuration question

bpatil at ovi.com bpatil at ovi.com
Wed Feb 27 15:46:09 CET 2013



Hello,

I have a rudimentary proxy configuration question:

I am doing some testing with a Freeradius server in the lab and the 
setup looks as follows:

[Host] --WiFi--- [AP]---[Wireless Cntrlr]-----------[AAA/Freeradius server]

Using EAP-TTLS for authentication. 
My wpa_supplicant config file looks like:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin
network={
         ssid="mySSID"
         scan_ssid=1
         key_mgmt=WPA-EAP
         eap=TTLS
 anonymous_identity="anonymous at example.com"
         ca_cert="/home/testuser/Downloads/ca.pem"
 phase2="autheap=PAP" 
         identity="daniel"
 password="daniel"
        }

The RADIUS server gets the Access request and then tries to proxy it
to example.com. I dont want the request or authentication to be proxied
elsewhere. The authentication needs to happen on the local RADIUS server
itself. What am I missing in the config? 

The server and client certs are all there in /etc/raddb/certs directory.

Below is a snippet of the logs that I am seeing on the RADIUS server:

Tue Feb 26 17:29:43 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.8 port 34438, id=117, length=234
User-Name = "anonymous at example.com"
Calling-Station-Id = "00-03-7F-10-51-82"
NAS-IP-Address = 192.168.0.8
NAS-Port = 34
Called-Station-Id = "8C-0C-90-15-D1-9C:mySSID"
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "8C-0C-90-15-D1-9C"
Connect-Info = "CONNECT 802.11a/n"
EAP-Message = 0x0201001a01616e6f6e796d6f7573406578616d706c652e636f6d
Vendor-25053-Attr-3 = 0x5275636b7573576972656c65737332
Message-Authenticator = 0xfdf3d6097b64d1237a34e27dd120bfec
Tue Feb 26 17:29:43 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Tue Feb 26 17:29:43 2013 : Info: +- entering group authorize {...}
Tue Feb 26 17:29:43 2013 : Info: ++[preprocess] returns ok
Tue Feb 26 17:29:43 2013 : Info: ++[chap] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[mschap] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[digest] returns noop
Tue Feb 26 17:29:43 2013 : Info: [suffix] Looking up realm "example.com" for User-Name = "anonymous at example.com"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Found realm "example.com"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Stripped-User-Name = "anonymous"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Realm = "example.com"
Tue Feb 26 17:29:43 2013 : Info: [suffix] Proxying request from user anonymous to realm example.com
Tue Feb 26 17:29:43 2013 : Info: [suffix] Preparing to proxy authentication request to realm "example.com" 
Tue Feb 26 17:29:43 2013 : Info: ++[suffix] returns updated
Tue Feb 26 17:29:43 2013 : Info: [eap] Request is supposed to be proxied to Realm example.com.  Not doing EAP.
Tue Feb 26 17:29:43 2013 : Info: ++[eap] returns noop
Tue Feb 26 17:29:43 2013 : Info: [files] users: Matched entry anonymous at line 207
Tue Feb 26 17:29:43 2013 : Info: ++[files] returns ok
Tue Feb 26 17:29:43 2013 : Info: ++[expiration] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[logintime] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[pap] returns noop
Tue Feb 26 17:29:43 2013 : Info:   WARNING: Empty pre-proxy section.  Using default return values.


Any help appreciated.

-BPa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130227/0ae3e5c3/attachment.html>


More information about the Freeradius-Users mailing list