I have a question with radius proxy

Alan DeKok aland at deployingradius.com
Fri Jul 26 13:52:22 CEST 2019

On Jul 26, 2019, at 1:45 AM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> It is decided to use eduroam as well as the certification of one's own base
> in Radius under construction.
> If you set proxy.conf and start radius, eduroam can authenticate without
> problems.
> If you try to authenticate on the internal side (local side), it is
> transferred to the home_server side, and proxy.conf

  Because you configured it to do that.

  The default configuration doesn't proxy.  So if your server proxies packets, it's because you told it to do that.

> We are troubled because we do not branch in the realm.


> The specifications for connection are as follows.
> 1. An AP connected to eduroam is shared with campus and eduroam
> 2. If the realm of the connecting user ID is your own site, connect to
> LOCAL RADIUS without Proxy, if eduroam, proxy to eduroam

   Just configure your realm as LOCAL, and proxy everything else.

> -----------------------<debug log>--------------------------
> <成功している場合>
> Thu Jul 25 19:48:22 2019 : Debug: (9) Received Access-Request Id 1 from
> xxx.15.xxx.241:50692 to xxx15.xxx.14:1812 length 277


  This isn't difficult.  We don't need to see "radiusd -Xxxxxxxxxxxxx".  We just need "radiusd -X".  ALL of the documentation says to do this.  And people get told this weekly, if not daily on the list.

  Yet for some reason, there's a large group of people who don't do that.  It's not polite.

  When you refuse to follow the documentation, you make it more difficult for anyone to help you.  This is bad.

  Honestly, given the extra nonsense in the debug output, and the broken formatting, it's difficult to tell what's going on.  Plus, you didn't explain why you posted two debug outputs, or what those debug outputs were for.  So again, you're making it difficult for anyone to help you.

  You should run tests on *just* the inner-tunnel.  See the documentation at the top of that file.  Use the debug output to create test packets for "radclient".  Then, send those test packets to the inner tunnel.  Read the debug output (radiusd -X).  If you don't understand it, read the documentation:


  Then, fix the "inner-tunnel" configuration so that it works.  Once it works with "radclient", THEN do full testing with EAP.

  A major part of the debugging process is narrowing down the problem.  If you test EVERYTHING at the same time, then it's hard to tell which piece is going wrong.  There will be a lot of things happening, and a lot of debug output.  Narrowing down the problem helps make everything simpler.

  Alan DeKok.

More information about the Freeradius-Users mailing list