Proxy EAP-TLS request after successful authorization with eap module

work vlpl thework.vlpl at gmail.com
Tue Oct 17 07:46:19 CEST 2017


Hello,
I am using v3.0.x branch and want to know is it possible to make proxy
request to another freeradius/radius server after proxy radius server
successfully handle request in eap module?

In general I want to know is it possible to implement the next scheme:

[user request eap-tls]
    |
[freeradius proxy server]  (check certificate; if certificate is good,
read certificate values; proxy call home radius server, if not reject)
    |
[freeradius home server] (home server set additional attributes like port speed)

My simplified configuration looks like this

server test_virtual_site {
  authorize {
    eap
    debug_all

    #:Need-Remote-Call - custom radius attribute added to dictionary file
    if (&reply:Need-Remote-Call = 'yes'){
       update control {
          &Proxy-To-Realm := LOCAL
       }
    }
  }
  authenticate {
    eap
  }

  post_auth {
    debug_all
  }
}

and inner eap-tls virtual site looks like this

server check-eap-tls {
  authorize {
    update config {
       &Auth-Type := Accept
    }
  }
}

In this configuration after check-eap-tls virtual site accept request,
test_virtual_site jump to post-auth section, and debug_all and update
control instructions are  not executing. If I not set Auth-Type :=
Accept in check-eap-tls virtual site, eap module in debug log  inform
me what eap virtual site reject user certificate. And if I set
Proxy-To-Realm attribute inside check-eap-tls virtual site proxy
request to home server does not happen.


More information about the Freeradius-Users mailing list