Re: Proxy EAP - TLS Nesting.
Hi thanks for your reply. I have to proxy all authentication request to virtual server (not just PEAP). We have differents kind of internals users (student, staff, guest, ...). Each of them is managed by one virtual server associated to one realm, example : for the student : realm student.university.fr { virtual_server = student } server student { } I can only specify one IP adresse and one port in NAS configuration (wired dot1x and wireless network) and I will use the proxy port (1812). Maybe there is another method to do that... But I think that use a proxy is the best way. Selon Alan DeKok : > brisston...@free.fr wrote: > > I have some troubles to proxy PEAP requests to (internal) virtual server : > > I have one proxy server (with realms define in proxy.conf file) that > forward the > > request internally to a virtual server define in site-enabled directory. > > Why is there a need to proxy the PEAP packets? > > > For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication > is > > successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this > > error message : "Multiple levels of TLS nesting is invalid". > > Deleting all of the other messages doesn't help. > > Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy EAP - TLS Nesting.
Hi everyone, I have some troubles to proxy PEAP requests to (internal) virtual server : I have one proxy server (with realms define in proxy.conf file) that forward the request internally to a virtual server define in site-enabled directory. For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this error message : "Multiple levels of TLS nesting is invalid". In my proxy.conf I have this lines : realms university.fr { virtual_server = my-virtual-server nostrip } I specify that the request is well forwarded to the virtual server. I made some tests. If I change my proxy.conf like this : home_server localhost { port=2812 type=auth ipaddr=127.0.0.1 secret=** ... } home_server_pool my-pool { home_server = localhost type=fail-over } realms university.fr { auth_pool= my-pool nostrip } -> Everything works correctly. Someone had an idea? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instance of proxy
Selon Alan DeKok : > brisston...@free.fr wrote: > > I want to authorize the first proxy to manage realm1 and realm2 and the > second > > proxy to manage all the realms. I don't find anything in the proxy.conf > > The realms are global. If you want to limit them to a particular > server, you will need to check for the realms that are allowed, and > permit them. All other realms should be blocked. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thanks. Can you send me an example plz... I don't know how can I do that. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instance of proxy
Selon John Gammons : > This configuration is located in proxy.conf. > > To proxy any @MYREALM1 requests to one server, and @MYREALM2 to > another, you would enter something like the following in that file > > realm MYREALM1 { >authhost= radius.company1.com:1600 >accthost= radius.company1.com:1601 >secret = testing123 >nostrip > } > > realm MYREALM2 { >authhost= radius.company2.com:1812 >accthost= radius.company2.com:1813 >secret = testing123 >nostrip > } > > There are a lot of options, but it is explained in great detail in > proxy.conf. > > Hope that helps. > > John > > > On Fri, Apr 23, 2010 at 8:38 AM, wrote: > > Selon Alan DeKok : > > > >> brisston...@free.fr wrote: > >> > I have a question about proxy request with freeradius : is it possible > to > >> run > >> > multiple instance of proxy (not the same but the same daemon) which use > >> > different realm configuration. > >> > >> Yes. > >> > >> Alan DeKok. > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > > Thanks but... can you explain me how can I do? I try to put realm section > in > > server section but it doesn't work. Can you help me please? > > > > Thanks in advance > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thanks for your reply. I have already understand that but my real problem is that I would authorize realms in terms of proxy. Example : I have 3 realms. Each of them is associated to one server declared in site-enabled directory : - realm1 -> server1 - realm2 -> server2 - realm3 -> server3 and 2 proxy : - proxy1 - proxy2 I want to authorize the first proxy to manage realm1 and realm2 and the second proxy to manage all the realms. I don't find anything in the proxy.conf If you want I would like to configure it like this : server proxy1 { listen {} realm1 { // go to server 1} realm2 { // go to server 2} authorize {} ... } server proxy1 { listen {} realm1 { // go to server 1} realm2 { // go to server 2} realm3 { // go to server 3} authorize {} ... } Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instance of proxy
Selon Alan DeKok : > brisston...@free.fr wrote: > > I have a question about proxy request with freeradius : is it possible to > run > > multiple instance of proxy (not the same but the same daemon) which use > > different realm configuration. > > Yes. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thanks but... can you explain me how can I do? I try to put realm section in server section but it doesn't work. Can you help me please? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple instance of proxy
Hi everyone, I have a question about proxy request with freeradius : is it possible to run multiple instance of proxy (not the same but the same daemon) which use different realm configuration. example : proxy 1 (port UDP 1812) : - realm @test.com - realm @test1.com proxy 2 (port UDP 1646) : - realm @test2.com - realm @test3.com Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html