freeradius proxying directions..

Alan DeKok aland at
Wed Jan 9 16:54:58 CET 2019

On Jan 9, 2019, at 9:51 AM, Tom Mustaki <tom at> wrote:
> Alan, Thank you for the information. sadly i couldn't accomplish it.

  What does that mean?  What error did you get when you tried my suggestion?

  Saying "stuff didn't work" is not overly helpful.

> i have played a little with the configuration and got it partially working.
> i noticed a bug, in which, even if radius server is down, access is
> granted..

  Because you told it to do that.

> can someone identify the bug for me and explain how to modify the script to
> correct it?
> ...
> authenticate {
>        Auth-Type LDAP {
>                # Attempt authentication with a direct LDAP bind:
>                ldap
>                if (ok) {
> update request {
> User-Password := p
> }
> update control {
>                       Proxy-To-Realm := "proxy-test"
>                }

  That won't work.  The server EITHER runs the "authenticate" section, OR it proxies.  It can't do both.

> accept

  That's an unconditional "accept the user".  Which is why it unconditionally accepts the user.

  My suggestion should work:

>> authorize {
>>        ...
>>        ldap.authenticate       # run LDAP bind
>>        if (ok) {
>>                update control {
>>                        Proxy-To-Realm := "realm"
>>                }
>>        }
>>        ...
>> }

  That will do "bind as user" to authenticate the user, BUT do it in the "authorize" phase.  That way, the "authenticate" phase then sees the Proxy-To-Realm, and proxies the packet, instead of doing local authentication.

  If that doesn't work, say WHY it doesn't work.  Show the debug output.

  Alan DeKok.

More information about the Freeradius-Users mailing list