What proxy features does the freeradius server support?
Alan DeKok
aland at deployingradius.com
Fri Oct 20 12:56:05 CEST 2017
> On Oct 19, 2017, at 11:19 PM, work vlpl <thework.vlpl at gmail.com> wrote:
>
> On the step 2 and 3, when proxy radius server analyze username, I want
> to analyze real username, not the outer anonymous identity. To do that
> I handle eap message on proxy radius server.
The RADIUS server has to do EAP. The "real" username is available only in the inner-tunnel.
> Then, if username not belongs to certain group I handle request on
> proxy server without calling home server. If username belongs to a
> certain group I set Proxy-To-Realm attribute. And here I have an
> issue.
You can't do EAP on the server, *and* proxy EAP to another server. It's impossible.
You *can* proxy the inner-tunnel session. But you also need to do it for all of the packets. You can't do EAP and also proxy, even inside of the inner-tunnel.
> If request is peap-mschapv2 and I set proxy_tunneled_request_as_eap =
> yes, home radius server(freeradius v3.0.x branch) not understand eap
> message,
Then read *that* debug output to see what's going on. FreeRADIUS *can* proxy inner EAP methods. It *can* also act as a home server for those proxied requests.
> if proxy_tunneled_request_as_eap = no home radius server have
> not problem to understand mschapv2 request.
> If request eap-ttls, ttls section in eap module config does not have
> option `proxy_tunneled_request_as_eap` and request on home server will
> be mschapv2.
That's fine.
> And I could not configure proxy server to send request after it look
> inside eap-tls request. Home server inform what eap message has a
> wrong state.
Posting debug output would be more useful than posting vague descriptions.
> So user request to proxy server is secured with eap, but proxy request
> to home server is send as simple mschapv2 without eap. And I want to
> know is it possible to send request as eap to home server, after proxy
> server handle (look inside) it?
No. You can (a) process EAP at a server, or (b) proxy it. You can't do both.
Alan DeKok.
More information about the Freeradius-Users
mailing list