Re: Proxy EAP - TLS Nesting.
Hi thanks for your reply.
I have to proxy all authentication request to virtual server (not just PEAP). We
have differents kind of internals users (student, staff, guest, ...). Each of
them is managed by one virtual server associated to one realm, example : for the
student :
realm student.university.fr {
virtual_server = student
}
server student {
}
I can only specify one IP adresse and one port in NAS configuration (wired dot1x
and wireless network) and I will use the proxy port (1812).
Maybe there is another method to do that... But I think that use a proxy is the
best way.
Selon Alan DeKok :
> brisston...@free.fr wrote:
> > I have some troubles to proxy PEAP requests to (internal) virtual server :
> > I have one proxy server (with realms define in proxy.conf file) that
> forward the
> > request internally to a virtual server define in site-enabled directory.
>
> Why is there a need to proxy the PEAP packets?
>
> > For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication
> is
> > successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this
> > error message : "Multiple levels of TLS nesting is invalid".
>
> Deleting all of the other messages doesn't help.
>
> Are you sure it's just PEAP (MSCHAP), and not PEAP-TLS?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy EAP - TLS Nesting.
Hi everyone,
I have some troubles to proxy PEAP requests to (internal) virtual server :
I have one proxy server (with realms define in proxy.conf file) that forward the
request internally to a virtual server define in site-enabled directory.
For basic authentication request (PAP, CHAP, MSCHAP, ...) , authentication is
successful, but with PEAP it doesn't work (work with EAP-TTLS). I have this
error message : "Multiple levels of TLS nesting is invalid".
In my proxy.conf I have this lines :
realms university.fr {
virtual_server = my-virtual-server
nostrip
}
I specify that the request is well forwarded to the virtual server.
I made some tests. If I change my proxy.conf like this :
home_server localhost {
port=2812
type=auth
ipaddr=127.0.0.1
secret=**
...
}
home_server_pool my-pool {
home_server = localhost
type=fail-over
}
realms university.fr {
auth_pool= my-pool
nostrip
}
-> Everything works correctly. Someone had an idea?
Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instance of proxy
Selon Alan DeKok : > brisston...@free.fr wrote: > > I want to authorize the first proxy to manage realm1 and realm2 and the > second > > proxy to manage all the realms. I don't find anything in the proxy.conf > > The realms are global. If you want to limit them to a particular > server, you will need to check for the realms that are allowed, and > permit them. All other realms should be blocked. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thanks. Can you send me an example plz... I don't know how can I do that. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instance of proxy
Selon John Gammons :
> This configuration is located in proxy.conf.
>
> To proxy any @MYREALM1 requests to one server, and @MYREALM2 to
> another, you would enter something like the following in that file
>
> realm MYREALM1 {
>authhost= radius.company1.com:1600
>accthost= radius.company1.com:1601
>secret = testing123
>nostrip
> }
>
> realm MYREALM2 {
>authhost= radius.company2.com:1812
>accthost= radius.company2.com:1813
>secret = testing123
>nostrip
> }
>
> There are a lot of options, but it is explained in great detail in
> proxy.conf.
>
> Hope that helps.
>
> John
>
>
> On Fri, Apr 23, 2010 at 8:38 AM, wrote:
> > Selon Alan DeKok :
> >
> >> brisston...@free.fr wrote:
> >> > I have a question about proxy request with freeradius : is it possible
> to
> >> run
> >> > multiple instance of proxy (not the same but the same daemon) which use
> >> > different realm configuration.
> >>
> >> Yes.
> >>
> >> Alan DeKok.
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
> > Thanks but... can you explain me how can I do? I try to put realm section
> in
> > server section but it doesn't work. Can you help me please?
> >
> > Thanks in advance
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Thanks for your reply. I have already understand that but my real problem is
that I would authorize realms in terms of proxy. Example :
I have 3 realms. Each of them is associated to one server declared in
site-enabled directory :
- realm1 -> server1
- realm2 -> server2
- realm3 -> server3
and 2 proxy :
- proxy1
- proxy2
I want to authorize the first proxy to manage realm1 and realm2 and the second
proxy to manage all the realms. I don't find anything in the proxy.conf
If you want I would like to configure it like this :
server proxy1 {
listen {}
realm1 { // go to server 1}
realm2 { // go to server 2}
authorize {}
...
}
server proxy1 {
listen {}
realm1 { // go to server 1}
realm2 { // go to server 2}
realm3 { // go to server 3}
authorize {}
...
}
Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instance of proxy
Selon Alan DeKok : > brisston...@free.fr wrote: > > I have a question about proxy request with freeradius : is it possible to > run > > multiple instance of proxy (not the same but the same daemon) which use > > different realm configuration. > > Yes. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thanks but... can you explain me how can I do? I try to put realm section in server section but it doesn't work. Can you help me please? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple instance of proxy
Hi everyone, I have a question about proxy request with freeradius : is it possible to run multiple instance of proxy (not the same but the same daemon) which use different realm configuration. example : proxy 1 (port UDP 1812) : - realm @test.com - realm @test1.com proxy 2 (port UDP 1646) : - realm @test2.com - realm @test3.com Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
