Re: proxy-to-realm versus using a suffix
Chris Fruehwirth wrote: > Below is the debug output from FreeRADIUS. The first attempt is using > the suffix [EMAIL PROTECTED], which works. The second attempt is using the > users file and no realm, which fails. ... > ++[eap] returns updated > ++[unix] returns notfound > users: Matched entry DEFAULT at line 207 > ++[files] returns ok The "files" module is listed after the "eap" module. So the server will start EAP *before* you tell it to proxy the request. The solution is to mark the request as being proxied *before* the EAP module runs. If you don't want to do EAP authentication locally, then just delete the reference to the EAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Alan DeKok wrote: Chris Fruehwirth wrote: Here is my update from testing with different versions. I tried to test the same scenario with 2.0.5 and got the same failed results. Then I went back to 1.1.7 and it worked. Read the debug output to see where the differences are. I will review and post them tomorrow. I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. Why "add realm name"? Why not just "proxy traffic"? The two statements are *very* different. I just want to proxy traffic. I got a little confused reviewing Ivan's reply. On top of that, you *can't* proxy by EAP type. The server recommends an EAP type... which means that by the time an EAP type is selected, the EAP session has already started. You can't switch an EAP session from one server to another. Good to know. I was thinking of doing something like this below in the users file. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := "SW" That won't work. Ever. DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := "SW" If your NAS sends that NAS-Port-Type, it should work. DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := "SW" That should work, too. If there is a better way to do this in 2.0.4-5, please let me know. It SHOULD work. If it doesn't, read the FAQ for "it doesn't work". i.e. You've posted configurations that you think *might* work. You've also said that you tried *other* configurations (not posted) that didn't work. How do you expect anyone to help you when you don't say what you're doing, and you don't say what happened? I thought I sent my debug to the list earlier, again apparently not. I do appreciate the help. I try to make it a little easier next time. Thanks, Chris Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Chris Fruehwirth wrote: > Here is my update from testing with different versions. I tried to test > the same scenario with 2.0.5 and got the same failed results. Then I > went back to 1.1.7 and it worked. Read the debug output to see where the differences are. > I would like to add the realm name to specific RADIUS traffic either by > IP address, EAP type or NAS-Port-Type. Why "add realm name"? Why not just "proxy traffic"? The two statements are *very* different. On top of that, you *can't* proxy by EAP type. The server recommends an EAP type... which means that by the time an EAP type is selected, the EAP session has already started. You can't switch an EAP session from one server to another. > I was thinking of doing something like this below in the users file. > > DEFAULT EAP-Type == PEAP, Proxy-To-Realm := "SW" That won't work. Ever. > DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := "SW" If your NAS sends that NAS-Port-Type, it should work. > DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := "SW" That should work, too. > If there is a better way to do this in 2.0.4-5, please let me know. It SHOULD work. If it doesn't, read the FAQ for "it doesn't work". i.e. You've posted configurations that you think *might* work. You've also said that you tried *other* configurations (not posted) that didn't work. How do you expect anyone to help you when you don't say what you're doing, and you don't say what happened? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
>I would like to add the realm name to specific RADIUS traffic either by >IP address, EAP type or NAS-Port-Type. > >If there is a better way to do this in 2.0.4-5, please let me know. > http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Here is my update from testing with different versions. I tried to test the same scenario with 2.0.5 and got the same failed results. Then I went back to 1.1.7 and it worked. Here is more information on what I am trying to do. I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. I was thinking of doing something like this below in the users file. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := "SW" or DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := "SW" or by defining a huntgroup DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := "SW" If there is a better way to do this in 2.0.4-5, please let me know. Thanks again, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
>Below is the debug output from FreeRADIUS. The first attempt is using >the suffix [EMAIL PROTECTED], which works. The second attempt is using the >users file and no realm, which fails. >I'm just trying to figure out the differences between the two >configurations and how to make the users file entry work like the suffix >behavior. > > >In the users file: > >DEFAULT Proxy-To-Ream := "SW" > If you want to add the realm to the username if one doesn't exist best place to do this is before processing (preprocess) in hints not users file. Your problem is that eap module is trying to process the request before it is proxied. And it shouldn't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
>I'm wonder what's the difference between using a suffix like @realmname >versus using the proxy-to-realm in the users file. > Not much. With suffix the request will be proxied to that realm by default (if that realm is defined) while proxy-to-realm attribute forces it in the cases when it normally wouldn't be proxied there. http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
