Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
Can I know what brand of radius server you are going to use for EAP-SIM/AKA ? I am interesting on this On Tue, Jul 2, 2013 at 3:51 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 07/02/2013 07:56 AM, Ming-Ching Tiew wrote: So this [^@]*@wlan.mncX.mccY.**3gppnetwork.orghttp://wlan.mncX.mccY.3gppnetwork.orgis unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? Yes, though be aware the pattern given isn't exactly valid; X and Y are N-digit numbers (the MNC and MCC, obviously). Twiddle as appropriate to make a valid regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
On 01.07.2013 18:34, Alan DeKok wrote: It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? When you're proxying an EAP packet, the ONLY criteria you have is the EAP identity. You do NOT have the EAP type available. You can proxy Access-Requests to another server if User-Name matches [^@]*@wlan.mncX.mccY.3gppnetwork.org. This another server should insist on using EAP-SIM. If user tries to use another EAP method server should reject the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
From: Iliya Peregoudov iperegu...@cboss.ru To: freeradius-users@lists.freeradius.org Sent: Tuesday, July 2, 2013 2:20 PM Subject: Re: Using freeradius as proxy for EAP-SIM/EAP-AKA On 01.07.2013 18:34, Alan DeKok wrote: It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? When you're proxying an EAP packet, the ONLY criteria you have is the EAP identity. You do NOT have the EAP type available. You can proxy Access-Requests to another server if User-Name matches [^@]*@wlan.mncX.mccY.3gppnetwork.org. This another server should insist on using EAP-SIM. If user tries to use another EAP method server should reject the user. So this [^@]*@wlan.mncX.mccY.3gppnetwork.org is unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
On 07/02/2013 07:56 AM, Ming-Ching Tiew wrote: So this [^@]*@wlan.mncX.mccY.3gppnetwork.org is unique ? All the SIMs from the same mobile operator will have the same string and it will be different from another mobile operator ? Yes, though be aware the pattern given isn't exactly valid; X and Y are N-digit numbers (the MNC and MCC, obviously). Twiddle as appropriate to make a valid regexp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
--I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? yes it is possible , but you have to make sure that all requests of an EAP session are being entertain by the same server, ( as proxy can have multipile freeradius servers), Read proxy.config, it have some methods for proxy, some of these are for chap and one or two or of EAP. similarly you can use some other methods like (Linux Virtual Server LVS) to accomplish this task. On Mon, Jul 1, 2013 at 10:48 AM, Ming-Ching Tiew mct...@yahoo.com wrote: Hi I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? Assuming brand X radius server has support for EAP-SIM/EAP-AKA, but it's located at the final end of the food chain, and in-between the brand X radius server and the Access point, there are 2 (or more) radius servers which are doing proxying ( and some other non-EAP SIM/EAP AKA work ). Will it work ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
If I understand you correctly, it means it is only possible to have ONE radius server which does EAP SIM/EAP AKA authentication in the entire chain of connections ? It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? How about Linux LVS ? Will it able to split the EAP-SIM/EAP-AKA request to different (final) server based on certain criteria ? From: Muhammad Nadeem mnadeem8...@gmail.com To: Ming-Ching Tiew mct...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, July 1, 2013 3:10 PM Subject: Re: Using freeradius as proxy for EAP-SIM/EAP-AKA --I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? yes it is possible , but you have to make sure that all requests of an EAP session are being entertain by the same server, ( as proxy can have multipile freeradius servers), Read proxy.config, it have some methods for proxy, some of these are for chap and one or two or of EAP. similarly you can use some other methods like (Linux Virtual Server LVS) to accomplish this task. On Mon, Jul 1, 2013 at 10:48 AM, Ming-Ching Tiew mct...@yahoo.com wrote: Hi I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? Assuming brand X radius server has support for EAP-SIM/EAP-AKA, but it's located at the final end of the food chain, and in-between the brand X radius server and the Access point, there are 2 (or more) radius servers which are doing proxying ( and some other non-EAP SIM/EAP AKA work ). Will it work ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius as proxy for EAP-SIM/EAP-AKA
Ming-Ching Tiew wrote: If I understand you correctly, it means it is only possible to have ONE radius server which does EAP SIM/EAP AKA authentication in the entire chain of connections ? No. It means that you don't KNOW it's EAP-SIM until after you decide to proxy it. It's not possible for one proxy radius to send request to different EAP SIM/EAP AKA radius server (based on certain criteria) ? When you're proxying an EAP packet, the ONLY criteria you have is the EAP identity. You do NOT have the EAP type available. How about Linux LVS ? Will it able to split the EAP-SIM/EAP-AKA request to different (final) server based on certain criteria ? No. Adding a virtual server is no different from adding another machine on the network. It won't make any difference. The issue is with the EAP protocol. Not with the network stack. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using freeradius as proxy for EAP-SIM/EAP-AKA
Hi I am wondering if it is possible to proxy EAP-SIM/EAP-AKA authentication using FreeRadius ? Assuming brand X radius server has support for EAP-SIM/EAP-AKA, but it's located at the final end of the food chain, and in-between the brand X radius server and the Access point, there are 2 (or more) radius servers which are doing proxying ( and some other non-EAP SIM/EAP AKA work ). Will it work ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html