freeradius proxying directions..
Alan DeKok
aland at deployingradius.com
Wed Jan 9 16:54:58 CET 2019
On Jan 9, 2019, at 9:51 AM, Tom Mustaki <tom at mustaki.com> wrote:
>
> Alan, Thank you for the information. sadly i couldn't accomplish it.
What does that mean? What error did you get when you tried my suggestion?
Saying "stuff didn't work" is not overly helpful.
> i have played a little with the configuration and got it partially working.
> i noticed a bug, in which, even if radius server is down, access is
> granted..
Because you told it to do that.
> can someone identify the bug for me and explain how to modify the script to
> correct it?
> ...
> authenticate {
> Auth-Type LDAP {
> # Attempt authentication with a direct LDAP bind:
> ldap
> if (ok) {
> update request {
> User-Password := p
> }
> update control {
> Proxy-To-Realm := "proxy-test"
> }
That won't work. The server EITHER runs the "authenticate" section, OR it proxies. It can't do both.
> accept
That's an unconditional "accept the user". Which is why it unconditionally accepts the user.
My suggestion should work:
>> authorize {
>> ...
>> ldap.authenticate # run LDAP bind
>> if (ok) {
>> update control {
>> Proxy-To-Realm := "realm"
>> }
>> }
>> ...
>> }
That will do "bind as user" to authenticate the user, BUT do it in the "authorize" phase. That way, the "authenticate" phase then sees the Proxy-To-Realm, and proxies the packet, instead of doing local authentication.
If that doesn't work, say WHY it doesn't work. Show the debug output.
Alan DeKok.
More information about the Freeradius-Users
mailing list