Server verification when proxying
Martin Pauly
pauly at hrz.uni-marburg.de
Wed Oct 29 14:26:00 UTC 2025
Hi Stephen,
Alan is, of course, right: When proxying other people's connections,
your RADIUS server assumes an entirely different role than in local operation:
It passes foreign messages based on the outer identity -- that's it.
You remain 100% agnostic of their EAP variant, or their encryption details.
For us university people, this is very common in the eduroam system.
To accomodate for "foreign" users (their_realm != our_realm) for roaming,
we let them use our RADIUS servers and the RADIUS proxy chain
to obtain an Access-Accept or Access-Reject message, then follow this result
and, in case of Access-Accept, assign them to some "externally authenticated guests" VLAN.
Am 28.10.25 um 17:24 schrieb Alan DeKok via Freeradius-Users:
> What I don't understand is why they say that their users are only prompted 'sometimes', not always.
This might be due to differences in client devices.
A properly pre-configured client already knows what Root Cert/CA and server name/SAN to verify.
Thus, it can tell right away whether to proceed with setup or to reject the server.
Many unconfigured clients (e.g. Windows) default to "Trust on first use":
When the client a new server, it asks the user whether to accept the server.
The decision is stored and continues to work until the server cert expires.
(The worst case would be not to validate the server cert at all
which used to be huge problem with Android devices over 2 decades).
So heterogenously configured clients may result in heterogenous behaviour.
Mit freundlichen Grüßen/Kind regards
Martin Pauly
--
Dr. Martin Pauly
Abt. Kommunikation
Hochschulrechenzentrum (HRZ)
Philipps-Universität Marburg
35032 Marburg
T +49 6421 28-23527
E pauly at hrz.uni-marburg.de
https://www.uni-marburg.de/de/hrz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4478 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251029/988d3837/attachment.bin>
More information about the Freeradius-Users
mailing list