freeradius proxying directions..

Tom Mustaki tom at mustaki.com
Wed Jan 9 15:51:19 CET 2019 

Alan, Thank you for the information. sadly i couldn't accomplish it.

i have played a little with the configuration and got it partially working.
i noticed a bug, in which, even if radius server is down, access is
granted..
can someone identify the bug for me and explain how to modify the script to
correct it?
authorize {
        if (!State) {
                if (&User-Password) {
                        # If !State and User-Password (PAP), then force
LDAP:
                        update control {
                                Ldap-UserDN := "%{User-Name}@domain.com"
                                Auth-Type := LDAP
                        }
                }
                else {
                        reject
                }
        }
        else {
                # If State, then proxy request:
                update control {
                        Proxy-To-Realm := "proxy-test"
                }
        }
}

authenticate {
        Auth-Type LDAP {
                # Attempt authentication with a direct LDAP bind:
                ldap
                if (ok) {
update request {
User-Password := p
}
update control {
                       Proxy-To-Realm := "proxy-test"
                }
accept
                }
        }
}

pre-proxy {
        # Enable pre-proxy to filter State attribute from proxied requests:
        attr_filter.pre-proxy
}


}




On Mon, Jan 7, 2019 at 3:39 PM Alan DeKok <aland at deployingradius.com> wrote:

>
> On Jan 6, 2019, at 10:16 AM, Tom Mustaki <tom at mustaki.com> wrote:
> > i am a noob in the freeradius business and really need some basic
> guidance.
> > i was following an article:
> > https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
> >
> > and it worked fine.
>
>   That's good.
>
> > now my goal is to support push notification on mobile devices.
> > (the freeradius should proxy the request without waiting for OTP input
> from
> > the authenticating user.)
> > instead the freeradius should, after successful LDAP bind,  send
> username +
> > p for password, to the OTP radius. that will trigger a push notification
> on
> > the mobile device.
> >
> > could anyone point me in the right direction on where and what to change?
>
>   The server can't do proxying *and* local authentication at the same
> time.  But with a bit of minor configuration, it should work.
>
>   The simple solution is to *not* set Auth-Type = LDAP.  You should be
> able to do something like:
>
> authorize {
>         ...
>         ldap.authenticate       # run LDAP bind
>         if (ok) {
>                 update control {
>                         Proxy-To-Realm := "realm"
>                 }
>         }
>         ...
> }
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list