Hello,
Could anyone help me?
I'm trying setting up freeradius 2.1.12 for eduroam.
The local auth works well, but the proxy part not so.
here is the configuration :
RADIUSD.CONF :
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
}
instantiate {
exec
expr
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
site-enabled/default :
authorize {
preprocess
if ("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) {
sql_l3invites
}
elsif ("%{User-Name}" =~ /.*@.*/) {
ok
}
else {
update reply {
Reply-Message := "%{User-Name} : Format Identifiant non
valide!"
}
reject
}
mschap
suffix
eap {
ok = return
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
sql_acct
exec
attr_filter.accounting_response
}
session {
}
post-auth {
reply_log
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
}
if ("%{User-Name}" == "L3Invite") {
update reply {
Tunnel-Private-Group-Id := "53"
}
}
switch "%{Realm}" {
case "univ-lille3.fr" {
update reply {
Tunnel-Private-Group-Id := "54"
}
}
case "etu.univ-lille3.fr" {
update reply {
Tunnel-Private-Group-Id := "55"
}
}
case "ext.univ-lille3.fr" {
update reply {
Tunnel-Private-Group-Id := "50"
}
}
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
linelog
}
}
pre-proxy {
pre_proxy_log
}
post-proxy {
post_proxy_log
eap
Post-Proxy-Type Fail {
post_proxy_fail_log
}
}
PROXY.CONF :
proxy server {
default_fallback = no
retry_delay = 5
retry_count = 3
dead_time = 600
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
}
realm univ-lille3.fr {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm etu.univ-lille3.fr {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm ext.univ-lille3.fr {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
}
realm DEFAULT {
type = radius
authhost = rad1.eduroam.fr:1812
accthost = rad1.eduroam.fr:1813
secret = **********************************
nostrip
}
realm DEFAULT {
type = radius
authhost = rad2.eduroam.fr:1812
accthost = rad2.eduroam.fr:1813
secret = ************************************
nostrip
}
CLIENTS.CONF :
client localhost {
ipaddr = 127.0.0.1
secret = *******
require_message_authenticator = yes
}
client 193.51.224.109 {
secret = ****************************
shortname = rad1.eduroam.fr
}
client 130.79.200.23 {
secret = ****************************
shortname = rad2.eduroam.fr
}
client ******* {
secret = **********
shortname = MX800R-1
nastype = trapeze
}
client ******** {
secret = ***********
shortname = MX800R-2
nastype = trapeze
}
debug -XX
rad_recv: Access-Request packet from host 192.168.58.5 port 20009,
id=46, length=176
NAS-Port-Id = "AP42/1"
Calling-Station-Id = "74-2F-68-ED-12-1C"
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
Service-Type = Framed-User
EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
User-Name = "esup...@univ-rouen.fr"
NAS-Port = 57286
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 192.168.58.5
NAS-Identifier = "Trapeze"
Message-Authenticator = 0x6830881b1c96c187831ae1494d8e8f2a
Mon Jan 21 15:29:46 2013 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam
Mon Jan 21 15:29:46 2013 : Info: +- entering group authorize {...}
Mon Jan 21 15:29:46 2013 : Info: ++[preprocess] returns ok
Mon Jan 21 15:29:46 2013 : Info: ++? if ("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/)
Mon Jan 21 15:29:46 2013 : Info: expand: %{Called-Station-Id} ->
00-0B-0E-94-89-40:eduroam
Mon Jan 21 15:29:46 2013 : Info: ? Evaluating ("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) -> FALSE
Mon Jan 21 15:29:46 2013 : Info: ++? if ("%{Called-Station-Id}" =~
/^([0-9A-F]{2}:){5}[0-9A-F]{2}:L3Invites$/) -> FALSE
Mon Jan 21 15:29:46 2013 : Info: ++? elsif ("%{User-Name}" =~ /.*@.*/)
Mon Jan 21 15:29:46 2013 : Info: expand: %{User-Name} -> hidden
Mon Jan 21 15:29:46 2013 : Info: ? Evaluating ("%{User-Name}" =~
/.*@.*/) -> TRUE
Mon Jan 21 15:29:46 2013 : Info: ++? elsif ("%{User-Name}" =~ /.*@.*/)
-> TRUE
Mon Jan 21 15:29:46 2013 : Info: ++- entering elsif ("%{User-Name}" =~
/.*@.*/) {...}
Mon Jan 21 15:29:46 2013 : Info: +++[ok] returns ok
Mon Jan 21 15:29:46 2013 : Info: ++- elsif ("%{User-Name}" =~ /.*@.*/)
returns ok
Mon Jan 21 15:29:46 2013 : Info: ++ ... skipping else for request 228:
Preceding "if" was taken
Mon Jan 21 15:29:46 2013 : Info: ++[mschap] returns noop
Mon Jan 21 15:29:46 2013 : Info: [suffix] Looking up realm hidden for
User-Name = hidden
Mon Jan 21 15:29:46 2013 : Info: [suffix] Found realm "DEFAULT"
Mon Jan 21 15:29:46 2013 : Info: [suffix] Adding Realm = "DEFAULT"
Mon Jan 21 15:29:46 2013 : Info: [suffix] Proxying request from user
hidden to realm DEFAULT
Mon Jan 21 15:29:46 2013 : Info: [suffix] Preparing to proxy
authentication request to realm "DEFAULT"
Mon Jan 21 15:29:46 2013 : Info: ++[suffix] returns updated
Mon Jan 21 15:29:46 2013 : Info: [eap] Request is supposed to be proxied
to Realm DEFAULT. Not doing EAP.
Mon Jan 21 15:29:46 2013 : Info: ++[eap] returns noop
Mon Jan 21 15:29:46 2013 : Info: ++[pap] returns noop
Mon Jan 21 15:29:46 2013 : Info: # Executing section pre-proxy from file
/etc/freeradius/sites-enabled/eduroam
Mon Jan 21 15:29:46 2013 : Info: +- entering group pre-proxy {...}
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
-> /var/log/freeradius/radacct/192.168.58.5/pre-proxy-detail-20130121
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/192.168.58.5/pre-proxy-detail-20130121
Mon Jan 21 15:29:46 2013 : Info: [pre_proxy_log] expand: %t -> Mon
Jan 21 15:29:46 2013
Mon Jan 21 15:29:46 2013 : Info: ++[pre_proxy_log] returns ok
Sending Access-Request of id 243 to 193.51.224.109 port 1812
NAS-Port-Id = "AP42/1"
Calling-Station-Id = "74-2F-68-ED-12-1C"
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
Service-Type = Framed-User
EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
User-Name = hidden
NAS-Port = 57286
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 192.168.58.5
NAS-Identifier = "Trapeze"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3436
Mon Jan 21 15:29:46 2013 : Info: Proxying request 228 to home server
193.51.224.109 port 1812
Sending Access-Request of id 243 to 193.51.224.109 port 1812
NAS-Port-Id = "AP42/1"
Calling-Station-Id = "74-2F-68-ED-12-1C"
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
Service-Type = Framed-User
EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
User-Name = hidden
NAS-Port = 57286
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 192.168.58.5
NAS-Identifier = "Trapeze"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3436
Mon Jan 21 15:29:46 2013 : Debug: Going to the next request
Mon Jan 21 15:29:46 2013 : Debug: Waking up in 0.9 seconds.
Mon Jan 21 15:29:47 2013 : Debug: Waking up in 13.0 seconds.
rad_recv: Access-Request packet from host 192.168.58.5 port 20009,
id=46, length=176
Mon Jan 21 15:29:51 2013 : Info: Sending duplicate proxied request to
home server 193.51.224.109 port 1812 - ID: 243
Sending Access-Request of id 243 to 193.51.224.109 port 1812
NAS-Port-Id = "AP42/1"
Calling-Station-Id = "74-2F-68-ED-12-1C"
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
Service-Type = Framed-User
EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
User-Name =hidden
NAS-Port = 57286
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 192.168.58.5
NAS-Identifier = "Trapeze"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3436
Mon Jan 21 15:29:51 2013 : Debug: Waking up in 9.0 seconds.
rad_recv: Access-Request packet from host 192.168.58.5 port 20009,
id=46, length=176
Mon Jan 21 15:29:56 2013 : Info: Sending duplicate proxied request to
home server 193.51.224.109 port 1812 - ID: 243
Sending Access-Request of id 243 to 193.51.224.109 port 1812
NAS-Port-Id = "AP42/1"
Calling-Station-Id = "74-2F-68-ED-12-1C"
Called-Station-Id = "00-0B-0E-94-89-40:eduroam"
Service-Type = Framed-User
EAP-Message = 0x0201001a016573757064656d40756e69762d726f75656e2e6672
User-Name = hidden
NAS-Port = 57286
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 192.168.58.5
NAS-Identifier = "Trapeze"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3436
Mon Jan 21 15:29:56 2013 : Debug: Waking up in 4.0 seconds.
Mon Jan 21 15:30:00 2013 : Info: Cleaning up request 228 ID 46 with
timestamp +1976
Mon Jan 21 15:30:00 2013 : Proxy: Marking home server 193.51.224.109
port 1812 as zombie (it looks like it is dead).
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
