Freeradius PROXY: EAP-PEAP - TLS with NT-Password and Cleartext-Password

Alan DeKok aland at deployingradius.com
Thu Jun 28 20:28:41 CEST 2018


> On Jun 28, 2018, at 2:02 PM, Andrei Antonelli <andreirp at gmail.com> wrote:
> 
> Hi, could someone help me with the example of my configuration below?

  Please only post one message instead of two.

> When i'm logging with username and password *without suffix*, *it's works*,
> but when i'm logging with *suffix *like testuser at hcrpp.com or testuser@
> cr.net  i get this error message:
> 
> suffix: Checking for suffix after "@"
> (22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@
> hcrpp.com"
> (22) suffix: Found realm "hcrpp.com"
> (22) suffix: Adding Realm = "hcrpp.com"

  That's fine.

> (22) suffix: Proxying request from user testuser at hcrpp.com to realm
> hcrpp.com
> (22) suffix: Preparing to proxy authentication request to realm "hcrpp.com"
> (22)       [suffix] = updated
> (22)       update control {
> (22)         &Proxy-To-Realm := "LOCAL"
> (22)       } # update control = noop

  Why are you doing this?  It's unnecessary.  You can just set the "hcrpp.com" realm to be a local realm.  In proxy.conf, do:

realm hcrpp.com {
}

  That's it.  See the comments in proxy.conf for more documentation.

> (22) eap: Peer sent EAP Response (code 2) ID 6 length 81
> (22) eap: No EAP Start, assuming it's an on-going EAP conversation
> (22)       [eap] = updated
> (22) sql: EXPAND %{User-Name}
> (22) sql:    --> testuser at hcrpp.com
> (22) sql: SQL-User-Name set to 'testuser at hcrpp.com'

  See the comments in raddb/mods-config/main/mysql/queries.conf

  You should edit the "sql_user_name" to be:

	sql_user_name = %{%{Stripped-User-Name}:-%{User-Name}}

 Which will then use "testuser" instead of "testuser at hcrpp.com"

> *My config below*

  We don't need the configuration.  See http://wiki.freeradius.org/list-help

> realm hcrpp.com {
> auth_pool = HCRPPOOL
> strip
> }

  Which causes packets containing "username at hcrpp.com" to be proxied.  If you don't want them to be proxied, read the comments in proxy.conf.  This is explained in detail.

  Alan DeKok.




More information about the Freeradius-Users mailing list