Jakub Morávek wrote:
Firs of all thanks for your reply. I'll try to be more specific.
On Feb 5, 2008 2:58 PM, Alan DeKok <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Jakub Morávek wrote:
> I have not many experiences with radius, so my question may be
> stupid. Has anybody experience with using freeradius (Version
1.1.3 in
> Debian Sarge) as proxy for RSA RADIUS Server included in RSA
> Authentication Manager 6.1?
Many people have tried this. It works.
I know, but I did not find anyone who discussed this problem.
> When authentication request goest through freeradius proxy, RSA
Manager
> thinks that Agent host is my freeradius proxy instead of
original host
> which sent authenticate request.
I don't know what an "Agent host" is. FreeRADIUS *is* a RADIUS
client
to the RSA manager.
In RSA terminology "Agent hosts" is host which sends authetication
request.
For example, if you want to setup "ssh-server" to authenticate ssh
login against RSA, you have to add "ssh-server" (name and it's ip
address) into RSA database and setup list of users, which are allowed
to log into "ssh-server".
If "user1" tries to access "ssh-server", "ssh-server" sends
authentication request to RSA.
RSA looks into database if "user1" is allowed to log into "ssh-server"
host.
In my case RSA rejects "user1" access, because RSA thikns, that
"user1" wants to log into "freeradius" and there is no "freeradius"
Agent host defined in RSA database.
> Does this mean, that freeradius process all attributes from
> pre-proxy-detail-20080204 log, but sends only attributes, which are
> shown in extended debug mode? If so, can anybody give me any
advice how
> can I configure freeradius to send more attributes?
To do... what?
My idea is that freeradius does not send Client-IP-Address attribute
and therefore RSA RADIUS determines that original host is freeradius
proxy server.
Erm no, your wrong 'Client-IP-Address' in an internal FreeRADIUS
attribute. If it was sent the Funk RADIUS server wouldn't understand
it... but it's not sent as all FR internal attributes are filtered out.
The RSA Funk Sever determines Agent Host identity from the UDP Packet
Header, not any of the attributes inside the RADIUS Packet. It could in
theory use NAS-IP-Address as an identifier, but I doubt it does.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Jakub
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html