Not sure, but you should consider running non-virtual instances (not that hard to do) and using privilage separation such that there is little potential for exposure of your internal authentication structure or internally-utilized crypto material to an externally presented service.
Also, it is possible to get your local users to have local privileges when using their eduroam-formatted credentials on the eduroam SSID, just a bit tricky. Here we run 4 instances for eduroam, two for IDP and two for SP (one each 3.0 radsec proxy/filter and one 2.x internal.) Only the internal sessions have any interaction with LDAP/SQL/AD. ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Friday, March 23, 2012 10:13 AM To: [email protected] Subject: can you internally proxy a request more than once? Hi, I have been using FreeRADIUS to authenticate visitors onto a wireless network using LDAP against Active Directory. I now need to also deploy eduroam. I thought it would be sensible to do this as two separate virtual servers, so I created a new minimal 'default' server that proxies to a 'visitors' or 'eduroam' virtual server based on the wireless SSID, which the wireless NAS adds to an attribute in the Access-Request. The default server sets the Proxy-To-Realm attribute in the list of control items. The Realm then maps to a home_server in proxy.conf which has an associated virtual server e.g. home_server virtual_server_for_eduroam { type =auth+acct virtual_server = eduroam } home_server_pool virtual_server_for_eduroam_pool { home_server = virtual_server_for_eduroam } realm EDUROAM_VIRTUAL_SERVER { pool = virtual_server_for_eduroam_pool } The 'visitors' virtual server works fine. The 'eduroam' virtual server proxies the Access-Request to LOCAL or our National RADIUS Proxy Servers depending on whether the realm in the User-Name attribute is our realm or not. Local authentications are performed against Active Directory, and so we are using PEAP-MS-CHAPv2. For local authentications the inner MS-CHAPv2 authentications are proxied to the 'inner-tunnel' virtual server. If (for testing) I configure clients.conf so that Access-Requests from the wireless NAS are always sent to the 'eduroam' virtual server, then it works fine. The 'eduroam' virtual server doesn't work if it is called from the new 'default' server using internal proxying. In that case I get an error saying "Multiple levels of TLS nesting is invalid". I'm running FreeRADIUS 2.1.11. I may not have provided enough detail, but am I doing something that obviously won't work? I don't know if it's possible to internally proxy a request more than once, e.g. to two different virtual servers. If it isn't possible, do I have any other options? Would a solution be to make the virtual servers listen on two different IP addresses, and configure the NAS to use a different RADIUS server IP address for each SSID? Alternatively, could the NAS continue to send all RADIUS packets to one IP address, and the default server proxy to virtual servers listening on different IP addresses? Thanks in advance of any help you can give, Have a good weekend, Mark. -- Scanned by iCritical.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
