Terminate EAP-TTLS then proxy
adrian.p.smith at bt.com
adrian.p.smith at bt.com
Tue Jun 13 10:19:21 CEST 2017
Thanks for the tips, this has got me a lot further. My default server now does the EAP work and passes the Access-Request to the inner-tunnel, but I think I need one last thing as it doesn't want to proxy it:
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[IPASS] Looking up realm "passpoint" for User-Name = "passpoint/adrian"
[IPASS] Found realm "passpoint"
[IPASS] Adding Realm = "passpoint"
[IPASS] Proxying request from user adrian to realm passpoint
[IPASS] Preparing to proxy authentication request to realm "passpoint"
++[IPASS] returns updated
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
Do I need to somehow reset the proxy state?
Thanks in advance,
Adrian
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+adrian.p.smith=bt.com at lists.freeradius.org] On Behalf Of Peter Lambrechtsen
Sent: 12 June 2017 20:58
To: FreeRadius users mailing list
Subject: Re: Terminate EAP-TTLS then proxy
You would also want to comment the "suffix" module from your main "default"
site and add it to inner-tunnel
Suffix is what looks up the realms from the proxy.conf and adds the proxy destination to request or not.
On 13/06/2017 06:11, "Alan Buxey" <alan.buxey at gmail.com> wrote:
> yes.... with various extra bits of config. firstly, you would need
> to use unlang to set the authentication to be local for a particular
> realm, then, in the inner-tunnel, you would need to use unlang to
> proxy the request to a defined realm pool.
>
> alan
>
> On 12 June 2017 at 07:51, <adrian.p.smith at bt.com> wrote:
> > I would like to be able to proxy the Auth request after terminating
> > the
> EAP-TTLS. FreeRadius sees the realm prefix on the User-Name and wants
> to proxy first.
> >
> > Is this possible or even sensible please?
> >
> > Regards,
> >
> > Adrian
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list