Hi, > to authenticate with the eduroam user. It seems that although the > request is proxied, my server tries to locally check the authorized > attributes of the user against my local ldap server. And since no > such user exists ldap returns : object not found
use unlang to put a protection wrapper around your ldap eg if (%{realm} == /yourrealm.com/){ ldap } > Next, my server proxies an other request with empty attributes > certainly resulting from the previous object found result : > Sending Access-Request of id 144 to 193.190.198.59 port 1812 > User-Name := "" > User-Password := "" > Service-Type := Authenticate-Only > Message-Authenticator := 0x00000000000000000000000000000000 > NAS-Identifier := "Status Check. Are you alive?" this is a status-check packet - your server is configured to sent status-check packets tothe remote proxy to check if its up/alive - there is no response to this request - so thats bad. you COULD configure proxy.conf for that remote proxy to use a username/pass (ideally a BAD password to get a REJECT) for this purpose if the remote proxy isnt responding to these packets as it should. for status requests a reject is as good as an accept...you get a response..thats what the server wants. you also then avoid leaking WORKING credentials into the system :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html