If I include both of these lines:
DEFAULT FreeRADIUS-Proxied-To =* 127.0.0.1, Proxy-To-Realm := LOCAL DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "myrealm"
In the config on my proxy radius server, the log on the "myrealm" radius server never sees any requests.
On the other hand, if I *only* include this line:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "myrealm"
Then the "myrealm" radius server does receive a request from the proxy, but issues the following complaint in it's output logs:
auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.
I'm stumped again. Any suggestions?
On Apr 13, 2004, at 2:28 PM, Alan DeKok wrote:
Bob McCormick <[EMAIL PROTECTED]> wrote:Sorry, I guess my description was a little vague. I want to handle on
EAP types on the proxy radius server, but send the inner MS-CHAP
request to another radius server.
OK..
PEAP is the only one listed in my config right now just because it's the only one I've been testing with (I'm trying to follow your advice actually
Don't listen to *everything* I say...
and keep the config as simple as I can).
That's a good idea, though.
So the issues are:
a) somehow tell tunneled sessions from non-tunneled sessions b) proxy tunneled sessions c) don't proxy non-tunneled sessions
Requests inside of the tunnel have "FreeRADIUS-Proxied-To = 127.0.0.1"
set. Requests outside of the tunnel don't have that attribute at all.
So you should be able to do:
#--- DEFAULT FreeRADIUS-Proxied-To =* 127.0.0.1, Proxy-To-Realm := LOCAL
#---
i.e. for requests outside of the tunnel, force them to be handled locally.
#--- DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := "foo.com"
#---
i.e. for requests inside of the tunnel, force them to be proxied to "foo.com".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
