Proxying not work with prefix and suffix realm?
I proxy realm 'helloworld' to radius server,
But it forward to DEFAULT server only.
Wichit N.
--
modcall: entering group authorize for request 9
modcall[authorize]: module preprocess returns ok for request 9
modcall[authorize]: module chap
Is there any news on proxying EAP/TTLS? Does the thing work?
p.s. in last discussion on mailing list Alan has said that this
don´t work.
thanks
Sergio - Srdjan Vemic
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fastbyte [EMAIL PROTECTED] wrote:
Is there any news on proxying EAP/TTLS? Does the thing work?
p.s. in last discussion on mailing list Alan has said that this
don´t work.
There has been no announcement that it works, so it still doesn't
work.
Alan DeKok.
-
List info
On Wed, 2003-10-08 at 17:55, Chris Parker wrote:
At 10:45 AM 10/8/2003, Josh Howlett wrote:
I am using freeradius (0.9) to proxy RADIUS packets.
I have run into a possible bug. A username with a Windows domain
prepended to the user in the format CC\\username gets proxied in the
format
At 10:45 AM 10/8/2003, Josh Howlett wrote:
I am using freeradius (0.9) to proxy RADIUS packets.
I have run into a possible bug. A username with a Windows domain
prepended to the user in the format CC\\username gets proxied in the
format C\\username; because the domain is CC the authentication
APs they are required to LEAP
reauthenticate and I have instances where, if the WAN link is a little
congested, the client's LAN connection drops out for 20secs or so if the
ACS does not respond quickly enough.
I know Funk's SteelBelted product can do LEAP proxying but it is over
priced
confirm this
beforehand!
Yes. I've proxied LEAP requests to another server. See
'raddb/radiusd.conf'. It has explicit comments on proxying LEAP.
When Cisco clients roam between APs they are required to LEAP
reauthenticate and I have instances where, if the WAN link is a little
congested
this by proxying LEAP packets...
Alan,
I was rather hoping that the FR machine would do an element of user/pass caching but
the very nature of LEAP means it will always need to interrogate the Cisco ACS each
time.
Hmmm - makes me think it might be best to forget the Cisco ACS altogether.
Thanks for your
Hello!
I have problem with proxying accounting inrfmation:
---radius.log:
Tue Aug 19 10:09:10 2003 : Error: Reply from home server 217.116.156.71:1813
arrived too late for request 55. Try increasing 'retry_delay' or
'max_request_time'
---tcpdump
10:09:10.599357 217.116.156.33.1814
--- Sepp Rudel [EMAIL PROTECTED] wrote:
I thought I could do the tricks with rlm_perl but I
get this error:
radiusd.conf: perl modules aren't allowed in
'post-proxy' sections -- they have no such method.
With the attached patch against latest CVS snapshot I
can use rlm_perl in pre-proxy,
--- Sepp Rudel [EMAIL PROTECTED] wrote:
Hi,
probably yet another stupid question: I have
FreeRADIUS 0.8.1 proxying requests from clients to a
remote RADIUS server.. I'd like to store the
attributes received in the Access-Accept or
Access-Reject packets from the remote server to the
DB
Sepp Rudel [EMAIL PROTECTED] wrote:
I thought I could do the tricks with rlm_perl but I
get this error:
radiusd.conf: perl modules aren't allowed in
'post-proxy' sections -- they have no such method.
So any suggestions are still welcome..
Source code patches?
It should be relatively
Hi,
probably yet another stupid question: I have
FreeRADIUS 0.8.1 proxying requests from clients to a
remote RADIUS server.. I'd like to store the
attributes received in the Access-Accept or
Access-Reject packets from the remote server to the DB
running on the same host as FreeRADIUS. Obviously
radrelay to forward the accounting data to the other server.
http://www.freeradius.org/radiusd/doc/radrelay
On Sun, 8 Jun 2003, Ossama Suleiman wrote:
hi all,
is it possible to proxy the data to more than 1 server??
proxying from server-a to server-b is working just fine, but what i want
hi all,
is it possible to proxy the data to more than 1 server??
proxying from server-a to server-b is working just fine, but what i want
to do is to proxy from server-a to server-b AND server-c
i tried to add another section in acct_users, but only the first match
is proxied the other
You could use radrelay to forward the accounting data to the other server.
http://www.freeradius.org/radiusd/doc/radrelay
On Sun, 8 Jun 2003, Ossama Suleiman wrote:
hi all,
is it possible to proxy the data to more than 1 server??
proxying from server-a to server-b is working just
Hi,
On Mon, Mar 17, 2003 at 11:47:58AM +0100, Toni Mueller wrote:
On Tue, Feb 04, 2003 at 03:21:09PM -0600, Chris Parker wrote:
At 10:04 PM 2/4/2003 +0100, Jacques Caruso wrote:
Without success (the server continues to proxy the request for local
users, and thus rejects our local users).
Le Jeudi 6 Février 2003 15:40, Alan DeKok a écrit :
++---+---+---+--+
| 6 | internix | No-Such-Attribute | | := |
What the heck is that line for?
It's an ugly kludge done because some people here found
« counter-intuitive » that groups would
== Call-Check, Auth-Type += Accept
# This is the one that should be triggering the proxying. Note I was
# under the impression from Alan's message that telling the program that
# the Auth-Type was Local and there was no fall-through would be enough
# but since it didn't work, I added that condition
| | := |
What the heck is that line for?
# This is the one that should be triggering the proxying. Note I was
# under the impression from Alan's message that telling the program that
# the Auth-Type was Local and there was no fall-through would be enough
# but since it didn't work, I
Without repeating what Alan and Chris said:
On Thu, 6 Feb 2003, Jacques Caruso wrote:
The proxy.conf has only one realm :
alien {
type= radius
Shouldn't that be:
realm alien {
type= radius
just wondrin',
Jim
-
List info/subscribe/unsubscribe? See
*)...
I disagree. You only want to authenticate users who are in your
local domain. All other users should skip authentication, and go
directly to proxying.
Hem, yes, of course. Sorry for the misunderstanding.
The solution would be to put all of *your* users into a Unix group.
You can
rlm_realm: Setting Stripped-User-Name = **
rlm_realm: Proxying request from user ** to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
Yup, you need to upgrade to the latest CVS version to fix this bug
Jacques Caruso [EMAIL PROTECTED] wrote:
Huh... a Unix group ? Since I'm working on a SQL backend, that isn't
possible, but all our local users are already in a group in the SQL DB.
I've thus added the Auth-Type attribute to the groups' attributes list
in the radgroupreply table. Here is the
', then 'sql' in the
'authorize' section denies access to our local users, inverting the
methods called in 'authorize' results in the non-local ones being
unrecognized. This really drives me nuts)...
Another question is about post-proxying : I originally configured the
RADIUS to send back a 'Framed-IP-Address
to their RADIUS.
I disagree. You only want to authenticate users who are in your
local domain. All other users should skip authentication, and go
directly to proxying.
The solution would be to put all of *your* users into a Unix group.
You can then do:
DEFAULT Group == myusers, Auth-Type
In article [EMAIL PROTECTED],
Alan DeKok [EMAIL PROTECTED] wrote:
Jacques Caruso [EMAIL PROTECTED] wrote:
I have set up two FreeRADIUS (0.8.1, Debian packages recompiled)
servers, with a MySQL replicating backend. Since we provide a local PoP
for a national ISP, I need to proxy requests to
Hi All
I have Fr 0.8.1 running on redhat 7.3. I tried to get answer by searching
mailing list but could not get the right answer.
I am using my radius server for proxying and local authentication. While
proxying, is it possible to add on any rad reply attribute, for instance
Ascend-Data
27-Jan-03 at 13:24, Shohab Baig ([EMAIL PROTECTED]) wrote :
I have Fr 0.8.1 running on redhat 7.3. I tried to get answer by searching
mailing list but could not get the right answer.
I am using my radius server for proxying and local authentication. While
proxying, is it possible to add
I am trying to proxy from one radius server to a remote radius server. What is needed
to set this up. I
have read the proxying pages and cannot figure out what goes on the remote server and
what is on the local
server. Any help will be appreciated.
Roy Wills
-
List info/subscribe
Roy Wills [EMAIL PROTECTED] wrote:
I am trying to proxy from one radius server to a remote radius
server. What is needed to set this up. I have read the proxying
pages and cannot figure out what goes on the remote server and what
is on the local server. Any help will be appreciated.
Set up
Hello,
Recently I run into strange problems. My company
has contract with national wide ISP so we can use their access points (HARC) to
allow roaming for our users.
So far - so good. Their radius is at 1645/1646, my
radius (FreeRadius 0.5) is at 1812/1813.
Authorization works fine
Kliment Toshkov [EMAIL PROTECTED] wrote:
Then Accounting-Start should be received but it's not. The same is with
Accounting-Stop packets. Sometimes after 30-60 seconds Accounting-Stop
is received, but that's not regular.
Use 'tcpdump' to see if the packets come into your network. If they
Hi,
Is it possible with FreeRadius to proxy based on Called-Station-Id
instead of realm. A large section of our users do not use realms as part
of the username, but dial-in to different numbers.
I operate two layers of radius servers (currently radiator), but I am
looking at the possibilties
kenw [EMAIL PROTECTED] wrote:
Is it possible with FreeRadius to proxy based on Called-Station-Id
instead of realm. A large section of our users do not use realms as part
of the username, but dial-in to different numbers.
Sure.
DEFAULT Called-Station-Id == foo, Proxy-To-Realm := bar
Thanks Alan,
Which file would I put this, proxy.conf?
Thanks,
Ken
Alan DeKok wrote:
kenw [EMAIL PROTECTED] wrote:
Is it possible with FreeRadius to proxy based on Called-Station-Id
instead of realm. A large section of our users do not use realms as part
of the username, but dial-in to
Ah, on a closer look the user file I expect...
Thanks again,
Ken
kenw wrote:
Thanks Alan,
Which file would I put this, proxy.conf?
Thanks,
Ken
Alan DeKok wrote:
kenw [EMAIL PROTECTED] wrote:
Is it possible with FreeRadius to proxy based on Called-Station-Id
instead of realm. A large
Hi Alan,
I've got this to work, but only the access request is proxied. How would
I go about getting the accounting to proxy aswell?
All the best and thanks again,
Ken
Alan DeKok wrote:
kenw [EMAIL PROTECTED] wrote:
Is it possible with FreeRadius to proxy based on Called-Station-Id
instead
At 05:32 PM 11/22/2002 +, kenw wrote:
Hi Alan,
I've got this to work, but only the access request is proxied. How would I
go about getting the accounting to proxy aswell?
Add the same to 'acct_users'.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ /
Thanks for that...
Ken
- Original Message -
From: Chris Parker [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, November 22, 2002 5:36 PM
Subject: Re: proxying on Called-Station-Id instead of realm
At 05:32 PM 11/22/2002 +, kenw wrote:
Hi Alan,
I've got this to work
Title: Re: EAP + proxying
Very late ;) , but i confirm that with freeradius-snapshot-20021003
works with :
* EAP-TLS proxying between an Orinoco AP2000 to a Microsoft IAS server.
Laurent.
Raghu wrote:
Laurent Butti wrote:
Hello,
Does FreeRadius support (or will support
it will proxy based upon phone number but not based on realm.
it sends the
username and the realm to the proxy server and then i have to set up proxying on that
server
also if i want to send the realm to the proper server..
these two are put together because they are both the same number but sometimes
- doe.com:1645
[EMAIL PROTECTED] - joe.com:1645
I have tryed everything I can imagine would work and nothing seems to work
except proxying just based on the called-station-id .. but i can't seem to
get it to proxy based on the realm befor it proxys on the called-station-id
--
Business
- doe.com:1645
[EMAIL PROTECTED] - joe.com:1645
I have tryed everything I can imagine would work and nothing seems to work
except proxying just based on the called-station-id .. but i can't seem to
get it to proxy based on the realm befor it proxys on the called-station-id
--
Business
I set the nostrip option in the config for that realm under proxy.conf but
when the request made it to the server for the realm joe.con the username
had been stripped.
I've spotted the same behaviour, looking into it right now... It
appears to somehow leave the realm off:
Title: EAP + proxying
Hello,
Does FreeRadius support (or will support) proxying for EAP
authentication methods (MD5/TLS), with a kind of user@realm in EAP
Response Identity which should be used in order to delegate
authentication to a 3rd party AAA ?
Thank you.
Laurent.
Laurent Butti [EMAIL PROTECTED] wrote:
Does FreeRadius support (or will support) proxying for EAP
authentication methods (MD5/TLS), with a kind of user@realm in EAP
Response Identity which should be used in order to delegate
authentication to a 3rd party AAA ?
I don't think so. The EAP
Title: Re: EAP + proxying
from what i saw User-name attribute is the same as Response Identity
located in EAP-Message attribute, as the Radius packet is forged by
Access Points. So User-name attribute could be used to proxying because
it is user@realm ? Am i wrong ?
Laurent.
Alan
Laurent Butti [EMAIL PROTECTED] wrote:
from what i saw User-name attribute is the same as Response Identity
located in EAP-Message attribute, as the Radius packet is forged by
Access Points. So User-name attribute could be used to proxying because
it is user@realm ?
If that's the case
Laurent Butti wrote:
Hello,
Does FreeRadius support (or will support) proxying for EAP
authentication methods (MD5/TLS), with a kind of user@realm in EAP
Response Identity which should be used in order to delegate
authentication to a 3rd party AAA ?
EAP Proxying is supported if the
1
Alan DeKok wrote:
Laurent Butti [EMAIL PROTECTED] wrote:
Does FreeRadius support (or will support) proxying for EAP
authentication methods (MD5/TLS), with a kind of user@realm in EAP
Response Identity which should be used in order to delegate
authentication to a 3rd party AAA
Alan DeKok wrote:
If there is NO User-Name attribute in the packet, then the server is
unable to root through the EAP-Message stuff to find what EAP thinks
is the user name. In that case, without a User-Name attribute,
proxying cannot be done on realms in User-Names.
I am not sure if I
Raghu [EMAIL PROTECTED] wrote:
What this does is User-Name attribute is created
from EAP-Identity response, if it is not present.
Ah, I didn't know that, but it make sense, and it's the right thing
to do.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
This was a problem in v.3 and v.4 for which I submitted a patch which was,
apparently, applied. Perhaps you would like to verify this. Here are the details:
In searching the list, I see that this was a reported problem for v0.3 and that
there is a patch... so, after taking a look at v0.4 I
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
Chris Parker
Sent: Thursday, March 28, 2002 8:33 AM
To: [EMAIL PROTECTED]
Subject: RE: Proxying
At 09:46 AM 3/28/2002 -0600, Chris Parker wrote:
At 05:15 PM 3/27/2002 -0800, Justin Ainsworth wrote:
What does debug say
Also, are you sure it is proxying based on your 'prefix'
definition, and not your suffix definition?
Well, I know that it is proxying to the IPASS radius server that is
defined in the proxy.conf. And if I enter just the [EMAIL PROTECTED] it
proxies correctly to the correct radius server
At 01:55 PM 3/27/2002 -0800, Justin Ainsworth wrote:
Also, are you sure it is proxying based on your 'prefix'
definition, and not your suffix definition?
Well, I know that it is proxying to the IPASS radius server that is
defined in the proxy.conf. And if I enter just the [EMAIL PROTECTED
, and it starts proxying
correctly. But as soon as I uncomment the suffix, no matter which order
they are in, the proxying stops working. And it works the other way by
commenting out the prefix, and leaving the suffix in place.
So, I guess my question is, In order for me to proxy one realm that has
are looking for.
I have tried that. So this would be the order:
authorize {
preprocess
prefix
suffix
}
That should be what you want.
So, I decided to comment out the suffix, and it starts proxying
correctly. But as soon as I uncomment the suffix, no matter which order
What does debug say ( radiusd -x -x -x ) about the part where
it is checking the realms?
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm IPASS
modcall[authorize]: module prefix returns
Justin Ainsworth [EMAIL PROTECTED] wrote:
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm IPASS
modcall[authorize]: module prefix returns updated
rlm_realm: Proxying request from user
Eric Dean [EMAIL PROTECTED] wrote:
However, if I try to modify the reply attributes to add certain attributes
within the users file by specifying
DEFAULT Suffix==foo.bar.com
Session-Timeout = 28800,
Idle-Timeout = 900
The it stops authenticating. Debug shows that
Eric Dean [EMAIL PROTECTED] wrote:
Anyway, I wound up
googling my way into a solution that looks something like:
DEFAULT Suffix = foo.com, Strip-User-Name = No
Hint = foo,
Why not use Realm?
The 'Suffix' attribute matches a suffix, AND strips it off.
..and leaves the @
We are proxying a realm i.e. foo.bar.com
I have the proxy.conf set ok with the nostrip option and it works fine.
However, if I try to modify the reply attributes to add certain attributes
within the users file by specifying
DEFAULT Suffix==foo.bar.com
Session-Timeout = 28800
I have realms I am proxying to defined within proxy.conf. I also have
attributes associated with a suffix defined within users that will augment
replies. However, when I specify a Suffix within the Users file, it strips
the realm from the proxied user. How do I keep radisu from stripping
[EMAIL PROTECTED] wrote:
Need to modifying the username attribute before it gets sent on to the proxy
based upone number that is dialed, only for certain numbers and not others.
rlm_attr_rewrite should be updated to also look for rewrite
information in the list of configuration items. But
Brian Gordon [EMAIL PROTECTED] wrote:
Modifying the username attribute by adding a @somedomain.com to the
username before proxying it over to another radius server? This would be a
very cool feature for us for a certain need.
rlm_attr_rewrite may do this already. See raddb/radiusd.conf
I forgot to mention, I need to only occur when a user dials into a specific
phone number.
Brian
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 22, 2001 2:51 PM
Subject: Re: Modifying username before proxying?
Brian Gordon [EMAIL PROTECTED
, September 27, 2001 1:01 AM
To: [EMAIL PROTECTED]
Subject: Re: Proxying to Cistron
Cistron does send the ack packet correctly, but FreeRADIUS
remains oblivious to it and keeps on sending the acc start and
stop packets for nearly 20 times.
--
Mojahed
System Administrator
Agni Systems Limited
I'm
On Thu, Sep 27, 2001 at 10:12:58AM +0600, Mojahedul Hoque Abul Hasanat wrote:
On Wed, Sep 26, 2001 at 09:49:50PM +, Miquel van Smoorenburg wrote:
radius.log. For any request that came to it from the FreeRADIUS
Holly Shit! I prayed then installed a recent snapshot
(20010924). It
Mustafa N. Deeb [EMAIL PROTECTED] wrote:
Accounting through proxy does not work
You have to the changes below and recompile, I hope FreeRadius
programmers will add this in next releases
I don't recall seeing that patch, and it's for an *old* version of
the source.
All patches should be
proxying to a Cistron AAA server. What appeared to be the problem was an
incorrect shared secret. You may want to double check that. It's definatly
something that is easily overlooked.
Aaron Weiker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
72 matches
Mail list logo