I’m still fairly new at FreeRADIUS. Running 2.1.10 (we are planning our upgrade shortly).
Kind of a two pronged question here...I'm encountering a particular issue, but also would like to hear if my broad approach is suitable. I am attempting to do the following: - Use one FreeRADIUS server to authenticate for two different 802.1X networks (EAP-PEAP / MSCHAP). - Both will use the mschap module to interface with Microsoft Active Directory. - The first 802.1X network will authenticate against DOMAIN1, the second against both DOMAIN1 and DOMAIN2. The first network should reject authentication attempts from DOMAIN2. - All usernames are specified with a full realm / fqdn. - The RADIUS clients (wireless access points) will all be the same for the two networks. What (I think) is the solution: - In order for FreeRADIUS to distinguish what set of users (DOMAIN1 or DOMAIN1/2) to authenticate against, I have setup two virtual servers listening on different ports and (obviously) different names. (working) - The clients connect to FreeRADIUS over a different port depending on the network they're attempting to connect to. (working) - Setup realms for both DOMAIN1 and DOMAIN2 to have them both authenticate locally. (working) - Setup two mschap modules to call ntlm_auth command with the proper DOMAIN string. (working) - Depending on the realm provided, call a different mschap module from the inner-tunnel. (working) - Depending on the virtual server the request was received through, call a different mschap module from the inner-tunnel or reject the request. (not working) If there's a better/cleaner/simpler way to do this, I'm all ears. My issue: Since its EAP-PEAP, the request passes through the outer and inner-tunnel virtual servers. In my inner-tunnel, I'm doing an IF on the Realm. That seems to be evaluating properly if I look at the debug logs. If I do an IF on Virtual-Server it comes back with 'inner-tunnel'. If I do outer.request:Virtual-Server it oddly also comes back with 'inner-tunnel'. How do I see the actual virtual-server? Should I need to set a separate variable in the outer-server and read it below? Here is my attempted code in "server inner-tunnel" authenticate { Auth-Type MS-CHAP { if ("%{outer.request:Virtual-Server}" == "secure") { mschap_domain1 } else { if ("%{Realm}" == "domain1.fqdn.org") { mschap_domain1 } elsif ("%{Realm}" == "domain2.fqdn.org") { mschap_domain2 } } } eap } In my debug logs: Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +- entering group MS-CHAP {...} Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++? if ("%{outer.request:Virtual-Server}" == "secure") Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand: %{outer.request:Virtual-Server} -> inner-tunnel Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{outer.request:Virtual-Server}" == "secure") -> FALSE Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++? if ("%{outer.request:Virtual-Server}" == "secure") -> FALSE Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ++- entering else else {...} Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" == "domain1.fqdn.org") Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} -> domain2.fqdn.org Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}" == "domain1.fqdn.org") -> FALSE Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? if ("%{Realm}" == "domain1.fqdn.org") -> FALSE Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" == "domain2.fqdn.org") Thu Oct 4 13:05:18 2012 : Info: [mschapv2] expand: %{Realm} -> domain2.fqdn.org Thu Oct 4 13:05:18 2012 : Info: [mschapv2] ? Evaluating ("%{Realm}" == "domain2.fqdn.org") -> TRUE Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++? elsif ("%{Realm}" == "domain2.fqdn.org") -> TRUE Thu Oct 4 13:05:18 2012 : Info: [mschapv2] +++- entering elsif ("%{Realm}" == "domain2.fqdn.org") {...} Any suggestions for what I'm doing wrong or maybe a better way to tackle it? Thanks, Jordan Dohms - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html