What proxy features does the freeradius server support?

Alan DeKok aland at deployingradius.com
Fri Oct 20 12:56:05 CEST 2017

> On Oct 19, 2017, at 11:19 PM, work vlpl <thework.vlpl at gmail.com> wrote:
> On the step 2 and 3, when proxy radius server analyze username, I want
> to analyze real username, not the outer anonymous identity. To do that
> I handle eap message on proxy radius server.

  The RADIUS server has to do EAP.  The "real" username is available only in the inner-tunnel.

> Then, if username not belongs to certain group I handle request on
> proxy server without calling home server. If username belongs to  a
> certain group I set Proxy-To-Realm attribute. And here I have an
> issue.

  You can't do EAP on the server, *and* proxy EAP to another server.  It's impossible.

  You *can* proxy the inner-tunnel session.  But you also need to do it for all of the packets.  You can't do EAP and also proxy, even inside of the inner-tunnel.

> If request is peap-mschapv2 and I set proxy_tunneled_request_as_eap =
> yes, home radius server(freeradius v3.0.x branch) not understand eap
> message,

  Then read *that* debug output to see what's going on.  FreeRADIUS *can* proxy inner EAP  methods.  It *can* also act as a home server for those proxied requests.

> if proxy_tunneled_request_as_eap = no home radius server have
> not problem to understand mschapv2 request.
> If request eap-ttls, ttls section in eap module config does not have
> option `proxy_tunneled_request_as_eap` and request on home server will
> be mschapv2.

  That's fine.

> And I could not configure proxy server to send request after it look
> inside eap-tls request. Home server inform what eap message has a
> wrong state.

  Posting debug output would be more useful than posting vague descriptions.

> So user request to proxy server is secured with eap, but proxy request
> to home server is send as simple mschapv2 without eap. And I want to
> know is it possible to send request as eap to home server, after proxy
> server handle (look inside) it?

  No.  You can (a) process EAP at a server, or (b) proxy it.  You can't do both.

  Alan DeKok.

More information about the Freeradius-Users mailing list