I think you have to use the attribute "Stripped-User-Name" to authenticate the
user.> Date: Wed, 24 Jan 2007 14:21:59 +0800> From: [EMAIL PROTECTED]> To:
freeradius-users@lists.freeradius.org> Subject: Proxying based on SSID> > Hi,>
> Sorry if the questions have been asked. I have done a lot of searches,> but
could not find the answer.> > Normally, I proxy a PEAP request whenever the
realm is unknown to us> (i.e. using the DEFAULT realm without stripping user
name). However, for> some SSIDs, I want requests to be handled locally with
ldap, independent> of what the realm is (and with the user name stripped). What
I did is to> find those SSIDs in "Called-Station-ID" and> set proxy-to-realm to
a local realm.> > But the problem (I guess) is that when freeradius processes
the realm> file, the user name is not stripped. When later on processed by the>
local realm, the request fails because the user name still contains the>
domain.> > Any suggestions to solve it is appreciated. Thanks in advance.> >
Best Regards,> Lai> > Users> =====> DEFAULT NAS-Port-Type == "Wireless-802.11",
Called-Station-Id =~> "MY-SSID$", St> rip-User-Name := Yes, Autz-Type :=
usePlainTextPwd, Proxy-to-realm :=> "hku.hk"> > DEFAULT NAS-Port-Type ==
"Wireless-802.11", Autz-Type := usePlainTextPwd> > Radiusd -X> =========>
rad_recv: Access-Request packet from host 17.18.28.26:20002, id=136,>
length=152> NAS-Port-Id = "2098/1"> Calling-Station-Id =
"00-18-DE-83-3E-1B"> Called-Station-Id = "00-16-E0-FD-47-40:VIP-peap">
Service-Type = Framed-User> EAP-Message =
0x02010012017063637732406173642e636f6d> User-Name = "[EMAIL
PROTECTED]"> NAS-Port-Type = Wireless-802.11> NAS-Identifier =
"3Com"> NAS-IP-Address = 17.18.28.26> Message-Authenticator =
0x46e6da4a3ad7d253157a9f21a110807b> Processing the authorize section of
radiusd.conf> modcall: entering group authorize for request 0>
modcall[authorize]: module "preprocess" returns ok for request 0>
rlm_realm: Looking up realm "asd.com" for User-Name = "[EMAIL PROTECTED]">
rlm_realm: Found realm "DEFAULT"> rlm_realm: Proxying request from user
pcw2 to realm DEFAULT> rlm_realm: Adding Realm = "DEFAULT"> rlm_realm:
Preparing to proxy authentication request to realm> "DEFAULT">
modcall[authorize]: module "suffix" returns updated for request 0>
modcall[authorize]: module "chap" returns noop for request 0>
modcall[authorize]: module "mschap" returns noop for request 0> users:
Matched entry DEFAULT at line 171> users: Matched entry DEFAULT at line
244> modcall[authorize]: module "files" returns ok for request 0> rlm_eap:
EAP packet type response id 1 length 18> rlm_eap: No EAP Start, assuming it's
an on-going EAP conversation> modcall[authorize]: module "eap" returns
updated for request 0> modcall: leaving group authorize (returns updated) for
request 0> Found Autz-Type usePlainTextPwd> Processing the authorize
section of radiusd.conf> modcall: entering group usePlainTextPwd for request 0>
modcall: entering group redundant for request 0> rlm_ldap: - authorize>
rlm_ldap: performing user authorization for [EMAIL PROTECTED]> radius_xlat:
'(&([EMAIL PROTECTED])))'> radius_xlat: 'ou=ldap,o=hku,c=hk'> rlm_ldap:
ldap_get_conn: Checking Id: 0> rlm_ldap: ldap_get_conn: Got Id: 0> rlm_ldap:
attempting LDAP reconnection> rlm_ldap: (re)connect to ldap1.hku.hk:389,
authentication 0> rlm_ldap: starting TLS> rlm_ldap: bind as
cn=net,o=hku,c=hk/M134aNaa to ldap1.hku.hk:389> rlm_ldap: waiting for bind
result ...> rlm_ldap: Bind was successful> rlm_ldap: performing search in
ou=ldap,o=hku,c=hk, with filter> (&([EMAIL PROTECTED]))> rlm_ldap: object not
found or got ambiguous search result> rlm_ldap: search failed> rlm_ldap:
ldap_release_conn: Release Id: 0> modcall[authorize]: module "withNTPwd"
returns notfound for request 0> modcall: leaving group redundant (returns
notfound) for request 0> modcall: leaving group usePlainTextPwd (returns
notfound) for request 0> WARNING: You set Proxy-To-Realm = hku.hk, but it is
a LOCAL realm!> Cancelling> invalid proxy request.> rad_check_password:
Found Auth-Type EAP> auth: type "EAP"> Processing the authenticate section of
radiusd.conf> modcall: entering group authenticate for request 0> rlm_eap:
EAP Identity> rlm_eap: processing type tls> rlm_eap_tls: Initiate>
rlm_eap_tls: Start returned 1> modcall[authenticate]: module "eap" returns
handled for request 0> modcall: leaving group authenticate (returns handled)
for request 0> WARNING: Cancelling proxy to Realm hku.hk, as the realm is
local.> Sending Access-Challenge of id 136 to 17.18.28.26 port 20002>
Framed-IP-Address = 255.255.255.254> Framed-MTU = 576>
Service-Type = Framed-User> EAP-Message = 0x010200061920>
Message-Authenticator = 0x00000000000000000000000000000000> State =
0xfd7f032f1c3ed7e8e39bf1872727e771> Finished request 0> Going to the next
request> > > - > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
Consigue el nuevo Windows Live Messenger
http://get.live.com/messenger/overview
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html