Proxy EAP-TLS request after successful authorization with eap module
work vlpl
thework.vlpl at gmail.com
Tue Oct 17 07:46:19 CEST 2017
Hello,
I am using v3.0.x branch and want to know is it possible to make proxy
request to another freeradius/radius server after proxy radius server
successfully handle request in eap module?
In general I want to know is it possible to implement the next scheme:
[user request eap-tls]
|
[freeradius proxy server] (check certificate; if certificate is good,
read certificate values; proxy call home radius server, if not reject)
|
[freeradius home server] (home server set additional attributes like port speed)
My simplified configuration looks like this
server test_virtual_site {
authorize {
eap
debug_all
#:Need-Remote-Call - custom radius attribute added to dictionary file
if (&reply:Need-Remote-Call = 'yes'){
update control {
&Proxy-To-Realm := LOCAL
}
}
}
authenticate {
eap
}
post_auth {
debug_all
}
}
and inner eap-tls virtual site looks like this
server check-eap-tls {
authorize {
update config {
&Auth-Type := Accept
}
}
}
In this configuration after check-eap-tls virtual site accept request,
test_virtual_site jump to post-auth section, and debug_all and update
control instructions are not executing. If I not set Auth-Type :=
Accept in check-eap-tls virtual site, eap module in debug log inform
me what eap virtual site reject user certificate. And if I set
Proxy-To-Realm attribute inside check-eap-tls virtual site proxy
request to home server does not happen.
More information about the Freeradius-Users
mailing list