Hi, I have a running FreeRADIUS installation (v 1.1.3-1.4 - as supplied by Red Hat), which is happily authing my local users (<login>@canterbury.ac.uk) via ntlm to active directory on Windows, this is achieved by matching my local domain in the proxy.conf . All other requests it passes on to an NRPS as part of the JANET Eduroam service via the DEFAULT realm.
I do however need to add in certficate based authentication for a pool of loan laptops which will not be using local auth (at the laptop end and will be dealt with elsewhere with the services that they access) and this is proving problematic and leaves me with some questions: 1. since the user names on these pool machines are likely to be of the form: host/testlaptop.another.domain - how can I ensure that I match the domain entry since there is no '@' in the user name? ie drop the host/testlaptop and just leave me with .another.domain 2. how do I configure an additional an tls type within eap using a different set of certificates? These laptops will have autogenerated certs installed that point back to a root CA within a Windows Domain, I already have certs installed based around the NRPS but for these laptops we will be using our own CA cert which will not be signed off elsewhere - but we can at least install the CA cert onto the laptops as part of the build to fix up the trust relationships. Or assuming that I can get 1 (above) working, am I better off just proxing the entire auth request onto another radius server? Which does I admit seem a little overkill. Thoughts, comments etc are more than welcome. Follows at the end is a copy of the debug output which may be is use (note that I have deliberately anonymised the IP addresses etc in the output). Regards Paul -------------------------- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 31 with timestamp 4a76ebe6 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host AAA.BBB.CCC.DDD:1645, id=156, length=235 User-Name = "host/certtestlaptop.another.domain" Framed-MTU = 1400 Called-Station-Id = "AA-BB-54-D2-00-74" Calling-Station-Id = "AA-BB-DE-18-F9-EB" Cisco-AVPair = "ssid=eduroam" WISPr-Location-Name = "My building and location" Service-Type = Login-User Message-Authenticator = 0x0f83b71640a7450739de6c22a58d9064 EAP-Message = 0x0202002101686f73742f63657274746573746c6170746f702e63632e6c6f63616c NAS-Port-Type = Wireless-802.11 NAS-Port = 192048 NAS-Port-Id = "192048" NAS-IP-Address = AAA.BBB.CCC.DDD NAS-Identifier = "access point name" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/var/log/radius/radacct/AAA.BBB.CCC.DDD/auth-detail-03-08-2009' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address:-%{Framed-IP-Address:-%{NAS- IP-Address}}}/auth-detail-%d-%m-%Y expands to /var/log/radius/radacct/AAA.BBB.CCC.DDD/auth-detail-03-08-2 009 modcall[authorize]: module "auth_log" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "host/certtestlaptop.another.domain", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "host/certtestlaptop.another.domain" rlm_realm: Proxying request from user host/certtestlaptop.another.domain to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "ntdomain" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 158 users: Matched entry DEFAULT at line 266 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 156 to AAA.BBB.CCC.DDD port 1645 Service-Type := Administrative-User Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "90" EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7e6e8f937ac7a9d33173a95fef9efeca Finished request 1 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html