freeradius proxying directions..

Tom Mustaki tom at mustaki.com
Wed Jan 9 19:41:57 CET 2019 

Alan,
it worked just like you said it would.
You are the man!  Thank you.

my config :

authorize {
update control {
                Ldap-UserDN := "%{User-Name}@domain.com"
                        }
        ldap.authenticate        # run user authentication by LDAP bind

        if (ok) {
update request { # Trigger push notification by sending 'p' for password
value
User-Password := p }
                update control { # send to SafeNet Authentication Service
                        Proxy-To-Realm := "proxy-test"
                }
        }
}

authenticate {

}

pre-proxy {
        # Enable pre-proxy to filter State attribute from proxied requests:
        attr_filter.pre-proxy
}


On Wed, Jan 9, 2019 at 5:55 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Jan 9, 2019, at 9:51 AM, Tom Mustaki <tom at mustaki.com> wrote:
> >
> > Alan, Thank you for the information. sadly i couldn't accomplish it.
>
>   What does that mean?  What error did you get when you tried my
> suggestion?
>
>   Saying "stuff didn't work" is not overly helpful.
>
> > i have played a little with the configuration and got it partially
> working.
> > i noticed a bug, in which, even if radius server is down, access is
> > granted..
>
>   Because you told it to do that.
>
> > can someone identify the bug for me and explain how to modify the script
> to
> > correct it?
> > ...
> > authenticate {
> >        Auth-Type LDAP {
> >                # Attempt authentication with a direct LDAP bind:
> >                ldap
> >                if (ok) {
> > update request {
> > User-Password := p
> > }
> > update control {
> >                       Proxy-To-Realm := "proxy-test"
> >                }
>
>   That won't work.  The server EITHER runs the "authenticate" section, OR
> it proxies.  It can't do both.
>
> > accept
>
>   That's an unconditional "accept the user".  Which is why it
> unconditionally accepts the user.
>
>   My suggestion should work:
>
> >> authorize {
> >>        ...
> >>        ldap.authenticate       # run LDAP bind
> >>        if (ok) {
> >>                update control {
> >>                        Proxy-To-Realm := "realm"
> >>                }
> >>        }
> >>        ...
> >> }
>
>   That will do "bind as user" to authenticate the user, BUT do it in the
> "authorize" phase.  That way, the "authenticate" phase then sees the
> Proxy-To-Realm, and proxies the packet, instead of doing local
> authentication.
>
>   If that doesn't work, say WHY it doesn't work.  Show the debug output.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list