Sorry, got it wrong in last post, read this one instead: >DEFAULT EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL
End all EAP-TTLS connections at proxy. If not SECURACCESS domain: check Username against LDAP. (If possible to order. Do NOT check SECURACCESS domain against LDAP >SECURACCESS FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP, Proxy-To-Realm := >"SECURACCESS" All users found with SECURACCESS domain in name i.e. "[EMAIL PROTECTED]". Proxy them with PAP authentication to "SECURACCCESS" domain IP address mentioned in proxy.conf. >Fall-Through := No If SECURACCESS domain found in User-Name "[EMAIL PROTECTED]" stop after proxying. So I want to END all EAP tunnels at proxy for ALL domains. Authenticate with LDAP except for SECURACCESS domain. IF SECURACCESS domain found, proxy only PAP further (to IP address mentioned in proxy.conf). >Fri Feb 1 18:48:37 2008 : Debug: Listening on accounting *:1813 >Fri Feb 1 18:48:37 2008 : Debug: Listening on proxy *:1814 >Fri Feb 1 18:48:37 2008 : Info: Ready to process requests. >rad_recv: Access-Request packet from host 192.168.1.150:32797, id=161, ... >Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Looking up realm >"SECURACCESS" for User-Name = "joakimlindgren at SECURACCESS" >Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Found realm "SECURACCESS" So here we found SECURACCESS domain name in User-Name: >Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Stripped-User-Name = "joakimlindgren" >Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Proxying request from user joakimlindgren to realm >SECURACCESS >Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Realm = "SECURACCESS" >Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Preparing to proxy authentication request to realm >"SECURACCESS" End all EAP connections. Because "SECURACCESS" domain name found where proxying the request to ip address mentioned in proxy.conf. >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "suffix" returns updated for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Request already proxied. Ignoring. >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request >0 >Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "ntdomain" returns noop for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: rlm_eap: Request is supposed to be proxied to Realm SECURACCESS. >Not doing EAP. END EAP Tunnel, do NOT EAP only PAP. >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "eap" returns noop for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "files" returns notfound for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: - authorize >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing user authorization for joakimlindgren Here it authorizes against LDAP , What I want to do for SECUREACCESS domain is to NOT authorize against LDAP. All OTHER domains will authorize LDAP... (how do I accomplish this?) >Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: '(uid=joakimlindgren)' >Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: 'o=Contonso' >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: attempting LDAP reconnection >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: (re)connect to 192.168.1.71:389, authentication 0 >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: setting TLS CACert File to >/etc/raddb/certs/eDirCerts/edirectory_ROOT_Cert_DER.pem >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: starting TLS >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: bind as cn=admin,o=Contonso/toor to 192.168.1.71:389 >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: waiting for bind result ... >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: Bind was successful >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing search in o=Contonso, with filter >(uid=joakimlindgren) >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: Added the eDirectory password in check items >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: looking for check items in directory... >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: looking for reply items in directory... >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: user joakimlindgren authorized to use remote access >Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "ldap" returns ok for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "pap" returns noop for request 0 I want to only authorize (and authenticate) PAP (for SECURACCESS), IF other domain (authorize and authenticate) against LDAP... >Fri Feb 1 18:49:26 2008 : Debug: modcall: leaving group authorize (returns updated) for request 0 >Fri Feb 1 18:49:26 2008 : Debug: proxy: creating 4b01a8c0:1812 >Fri Feb 1 18:49:26 2008 : Debug: proxy: allocating 4b01a8c0:1812 0 // Thanks Jayal1972 wrote: > > Hi again, I probably have to explain what I want to accomplish in detail, > what I´m aiming for is this: > In users file: > >>DEFAULT EAP-Type == PEAP, FreeRADIUS-Proxied-To !* 127.0.0.1, Proxy-To-Realm := LOCAL > > End all EAP-TTLS connections at proxy. > If not SECURACCESS domain: check Username against LDAP. > (If possible to order. Do NOT check SECURACCESS domain against LDAP > >>SECURACCESS FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := PAP, Proxy-To-Realm := >"SECURACCESS" > > All users found with SECURACCESS domain in name i.e. > "[EMAIL PROTECTED]". Proxy them with PAP authentication to > "SECURACCCESS" domain IP address mentioned in proxy.conf. > >>Fall-Through := No > > If SECURACCESS domain found in User-Name "[EMAIL PROTECTED]" stop after > proxying. > > So I want to END all EAP tunnels at proxy for ALL domains. Authenticate > with LDAP except for SECURACCESS domain. IF SECURACCESS domain found, > proxy only PAP further (to IP address mentioned in proxy.conf). > >>Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 >>Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Looking up realm "SECURACCESS" for User-Name = >"[EMAIL PROTECTED]" >>Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Found realm "SECURACCESS" > > So here we found SECURACCESS domain name in User-Name: > >>Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Stripped-User-Name = "joakimlindgren" >>Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Proxying request from user joakimlindgren to realm >SECURACCESS >>Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Adding Realm = "SECURACCESS" >>Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Preparing to proxy authentication request to realm "SECURACCESS" > > Where proxying the request to ip address mentioned in proxy.conf (but here > we don´t end the EAP?) > > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from > suffix (rlm_realm) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "suffix" > returns updated for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ntdomain > (rlm_realm) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: rlm_realm: Request already proxied. > Ignoring. > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from > ntdomain (rlm_realm) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "ntdomain" > returns noop for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling eap > (rlm_eap) for request 0 > > What I want: END EAP Tunnel, do NOT EAP only PAP. > > Fri Feb 1 18:49:26 2008 : Debug: rlm_eap: Request is supposed to be > proxied to Realm SECURACCESS. > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from > eap (rlm_eap) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "eap" > returns noop for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling files > (rlm_files) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from > files (rlm_files) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "files" > returns notfound for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling ldap > (rlm_ldap) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: - authorize > Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing user authorization > for joakimlindgren > Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: '(uid=joakimlindgren)' > Fri Feb 1 18:49:26 2008 : Debug: radius_xlat: 'o=Contonso' >>Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 >>Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 >>Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: attempting LDAP reconnection >>Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: (re)connect to 192.168.1.71:389, authentication 0 >>Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: Bind was successful > > Here it authenticates, What I want to do for SECUREACCESS domain is to NOT > authenticate against LDAP. > All OTHER domains will LDAP... (how do I accomplish this?) > >>Fri Feb 1 18:49:26 2008 : Debug: rlm_ldap: performing search in o=Contonso, with filter (uid=joakimlindgren) > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: calling pap > (rlm_pap) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modsingle[authorize]: returned from > pap (rlm_pap) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: modcall[authorize]: module "pap" > returns noop for request 0 > > I want to only do PAP (for SECURACCESS), IF other domain check against > LDAP... > > Fri Feb 1 18:49:26 2008 : Debug: modcall: leaving group authorize > (returns updated) for request 0 > Fri Feb 1 18:49:26 2008 : Debug: proxy: creating 4b01a8c0:1812 > Fri Feb 1 18:49:26 2008 : Debug: proxy: allocating 4b01a8c0:1812 0 > ... > > // Thanks > > > > > > > Dmitry Sergienko-2 wrote: >> >> Hi! >> >> Jayal1972 wrote: >>> Hi again, sorry have read the FAQ ;-) thought that it didn´t needed, >>> sorry. >> >>> Sending Access-Request of id 0 to 192.168.1.75 port 1812 >>> Re-sending Access-Request of id 0 to 192.168.1.75 port 1812 >>> Re-sending Access-Request of id 0 to 192.168.1.75 port 1812 >> >>> Fri Feb 1 18:49:42 2008 : Proxy: marking authentication server >>> 192.168.1.75:1812 for realm SECURACCESS dead >> >> Your proxy server does not respond. >> Please check if your proxy server accepts connections, no traffic >> filtered and proxy really processes requests from >> FreeRADIUS server. Replies should reach FreeRADIUS also. >> >> -- >> Best wishes, >> Dmitry Sergienko (SDA104-RIPE) >> Trifle Co., Ltd. >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > -- View this message in context: http://www.nabble.com/Terminate-EAP-PEAP-client-connection-at-FreeRadius-Proxy-and-proxy%28forward%29-request-as-PAP-tp15218593p15238687.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html