hi fabrice.
10.18.23.60 is ip National Roaming Operator eduroam in my Country.
attach my eduroam config file.
On Thu, May 24, 2018 at 7:43 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:
> What is 10.18.23.60 ?
>
> can you share with me your file /usr/local/pf/raddb/sites-enabled/eduroam
> ?
>
> Le 2018-05-24 à 00:46, jabang konate via PacketFence-users a écrit :
>
> Hi fabrice,
> today i try again with my packetfence.
>
> in packetfence-tunnel configuration i change configuration like this,
> if (update) {
> update control {
> &MS-CHAP-Use-NTLM-Auth := No
> }
> }
> }
> because from the output i don't see "ok", and then now i can login with my
> ldap account but with port 1812 in my access point, but not using port
> 11812.
> if i'm using 11812 my request always forward to Realm eduroam my home
> server, and not forward the request to packetfence virtual server
> (sites-enabled/packetfence then site-enabled/packetfence-tunnel) as you
> said in scenario 1.
>
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Checking for suffix after "@"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Looking up realm "xyz.ac.id"
> for User-Name = "testu...@xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Found realm "xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Stripped-User-Name =
> "testuser"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Adding Realm = "xyz.ac.id"
> (1) Thu May 24 11:06:15 2018: Debug: suffix: Authentication realm is LOCAL
> (1) Thu May 24 11:06:15 2018: Debug: [suffix] = ok
> (1) Thu May 24 11:06:15 2018: Debug: ntdomain: Request already has
> destination realm set. Ignoring
> (1) Thu May 24 11:06:15 2018: Debug: [ntdomain] = noop
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) -> TRUE
> (1) Thu May 24 11:06:15 2018: Debug: if (User-Name =~ /@/) {
> (1) Thu May 24 11:06:15 2018: Debug: update control {
> (1) Thu May 24 11:06:15 2018: Debug: } # update control = noop
> (1) Thu May 24 11:06:15 2018: Debug: } # if (User-Name =~ /@/) = noop
> (1) Thu May 24 11:06:15 2018: Debug: ... skipping else: Preceding "if"
> was taken
> (1) Thu May 24 11:06:15 2018: Debug: eap: Request is supposed to be
> proxied to Realm eduroam. Not doing EAP.
> (1) Thu May 24 11:06:15 2018: Debug: [eap] = noop
>
> attach my radiusd-eduroam.sock log and picture of my configurutiaon
> exclusive source eduroam .
>
> Regards.
>
>
> On Thu, May 24, 2018 at 12:49 AM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>>
>>
>> Le 2018-05-23 à 13:36, jabang konate via PacketFence-users a écrit :
>>
>> Hi fabrice.
>>
>> Thanks for speedy response.
>>
>> > so i am not sure what you try to do with the ldap module.
>> ldap module for configuration user with openldap right? i read in EAP
>> Authentication against OpenLDAP.
>>
>> yes, the only difference is that you have to disable NTLM-Auth if ldap
>> return ok to avoid "ERROR: mschap: Program returned code (1) and output
>> 'Reading winbind reply failed! (0xc0000001)'".
>>
>>
>>
>> > You have 3 scenarios:
>> yes i want like that,
>>
>> I will try again and will share the results on this topic.
>>
>> thank you for your advice fabrice.
>>
>>
>> On Thu, May 24, 2018 at 12:22 AM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Jabang,
>>>
>>> so i am not sure what you try to do with the ldap module.
>>>
>>> You have 3 scenarios:
>>>
>>> 1: a user from your university connect on the ssid eduroam from your
>>> university. (the ap/controller use the port 11812)
>>> You need to configure the local realm (let's say myuniversity.org) in
>>> the eduroam authentication source and configure ldap in packetfence-tunnel.
>>> So when this user will try to connect on the eduroam ssid with
>>> u...@myuniversity.org then the eduroam virtual server will detect the
>>> realm myuniversity.org and forward the request to packetfence virtual
>>> server (sites-enabled/packetfence then site-enabled/packetfence-tunnel).
>>> And in packetfence-tunnel you have something like that:
>>>
>>> ```
>>> authorize {
>>> suffix
>>> ntdomain
>>> eap {
>>> ok = return
>>> }
>>> files
>>> ldap
>>> if (ok) {
>>> update control {
>>> &MS-CHAP-Use-NTLM-Auth := No
>>> }
>>> }
>>> }
>>> ```
>>>
>>> 2: u...@myuniversity.org is in travel and connect on the ssid eduroam
>>> in montreal university
>>> The local montreal radius server will forward to eduroam and eduroam
>>> will forward to your packetfence server on the port 1812 (you need to
>>> configure that on the eduroam side).
>>>
>>> 3: u...@univmontreal.org is connecting on your ssid eduroam, the realm
>>> in unknow then the request will be forwarded to eduroam then eduroam
>>> forward to the montreal radius server.
>>>
>>> Is it what you want to do ?
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>>
>>> Le 2018-05-23 à 12:57, jabang konate via PacketFence-users a écrit :
>>>
>>> Thanks Fabrice, let me clear my goals first. i'm still confuse which
>>> file i must to configure packetfence-tunnel or eduroam file in
>>> sites-available.
>>> my packetfence will be act as manage eduroam user so i will use port
>>> 11812 in my access point.
>>>
>>> here's my step how i configure my eduroam in packetfence.
>>> 1. setting my local REALM.
>>> 2. configure exclusive source eduroam, add my local realm at step 1.
>>> then create authentication rules "catch all" role default access duration
>>> 12 hours.
>>> 3. add switch configuration
>>> 4. configure ldap module in freeradius
>>> 5. configure file packetfence-tunnel ? or eduroam ?
>>> 6. restart freeradius and iptables
>>>
>>> in step 5 im still confuse if i'm using 11812 so i must configure
>>> eduroam file or still packetfence-tunnel ?
>>>
>>>
>>>
>>> On Wed, May 23, 2018 at 10:55 PM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
>>>> If it's a server for eduroam (like the eduroam servers use this server
>>>> for your domain) then 1812, if it's to manage eduroam user how connect on a
>>>> eduroam ssid then 11812.
>>>>
>>>>
>>>> Also what you can do in packetfence-tunnel
>>>>
>>>>
>>>> # The ldap module reads passwords from the LDAP database.
>>>> ldap
>>>> if (ok) {
>>>> update control {
>>>> &MS-CHAP-Use-NTLM-Auth := No
>>>> }
>>>> }
>>>>
>>>> Regards
>>>>
>>>> Fabrice
>>>>
>>>>
>>>>
>>>>
>>>> Le 2018-05-23 à 11:38, jabang konate via PacketFence-users a écrit :
>>>>
>>>> thanks for your reply fabrice.
>>>> here i attach my packetfence-tunnel file.
>>>>
>>>> and which port should i use for my access point 1812 or 11812 in radius
>>>> configuration for eduroam?
>>>> thank you
>>>>
>>>> On Wed, May 23, 2018 at 7:33 PM, Fabrice Durand via PacketFence-users <
>>>> packetfence-users@lists.sourceforge.net> wrote:
>>>>
>>>>> Hello Jabang,
>>>>>
>>>>> can you paste your packetfence-tunnel file ?
>>>>> Regards
>>>>>
>>>>> Fabrice
>>>>>
>>>>>
>>>>>
>>>>> Le 2018-05-23 à 04:08, jabang konate via PacketFence-users a écrit :
>>>>>
>>>>> my packetfence server version is 8.0.1 and i want to configure
>>>>> packetfence as an eduroam server with openldap as user database,
>>>>> then i look into documentation eduroam section from packetfence and
>>>>> EAP Authentication against OpenLDAP.
>>>>>
>>>>> when im try to login with my laptop, i always get access reject.
>>>>>
>>>>> from log i see i can connect with my ldap server, then i see error
>>>>> like this
>>>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: Program returned code (1)
>>>>> and output 'Reading winbind reply failed! (0xc0000001)'
>>>>> (7) Wed May 23 14:32:55 2018: Debug: mschap: External script failed
>>>>> (7) Wed May 23 14:32:55 2018: ERROR: mschap: External script says:
>>>>> Reading winbind reply failed! (0xc0000001)
>>>>>
>>>>> is it the root cause why i alwayas get access reject?
>>>>> then i check winbindd service is not running, but i cant start
>>>>> winbindd service
>>>>> (Service 'winbindd' is not managed by PacketFence. Therefore, no
>>>>> action will be performed)
>>>>>
>>>>> attach my radius log.
>>>>> please give me some advice.
>>>>> thank you
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>> --
>>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
# This file is generated from a template at /usr/local/pf/conf/radiusd/eduroam
# Any changes made to this file will be lost on restart
server eduroam {
#
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# Any changes made here should also be made to the "inner-tunnel"
# virtual server.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
# Add in PacketFence specific configuration
update {
&request:Realm !* ANY
&request:FreeRADIUS-Client-IP-Address :=
"%{Packet-Src-IP-Address}"
&control:PacketFence-RPC-Server = ${rpc_host}
&control:PacketFence-RPC-Port = ${rpc_port}
&control:PacketFence-RPC-User = ${rpc_user}
&control:PacketFence-RPC-Pass = ${rpc_pass}
&control:PacketFence-RPC-Proto = ${rpc_proto}
&control:Tmp-Integer-0 := "%l"
&control:PacketFence-Request-Time := 0
}
rewrite_calling_station_id
rewrite_called_station_id
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
filter_username
#
# Some broken equipment sends passwords with embedded zeros.
# i.e. the debug output will show
#
# User-Password = "password\000\000"
#
# This policy will fix it to just be "password".
#
filter_password
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
ntdomain
# Eduroam needs a "full" username with a domain part (username@domain)
# If request does not contain username with @domain part, reject it
# rather than sending it to Eduroam
if (User-Name =~ /@/) {
update control {
Proxy-To-Realm := "eduroam"
}
}
else {
reject
}
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The EAP module returns "ok" if it is not yet ready to
# authenticate the user. The configuration below checks for
# that code, and stops processing the "authorize" section if
# so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
eap {
ok = return
}
#
# Read the 'users' file. In v3, this is located in
# raddb/mods-config/files/authorize
#files
# Accept any non-eap request and send it to the packetfence module for
authorization
if ( !EAP-Message ) {
update {
&control:Auth-Type := Accept
}
}
packetfence-eap-mac-policy
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in mods-available/sql
#-sql
#ldap
#if (ok) {
#update control {
# &MS-CHAP-Use-NTLM-Auth := No
# }
#}
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
rewrite_called_station_id
#
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
# into a single 64bit counter Acct-[Input|Output]-Octets64.
#
# acct_counters64
#
# Session start times are *implied* in RADIUS.
# The NAS never sends a "start time". Instead, it sends
# a start packet, *possibly* with an Acct-Delay-Time.
# The server is supposed to conclude that the start time
# was "Acct-Delay-Time" seconds in the past.
#
# The code below creates an explicit start time, which can
# then be used in other modules. It will be *mostly* correct.
# Any errors are due to the 1-second resolution of RADIUS,
# and the possibility that the time on the NAS may be off.
#
# The start time is: NOW - delay - session_length
#
# update request {
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l -
%{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
ntdomain
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
# Add in PacketFence specific configuration
update {
&request:FreeRADIUS-Client-IP-Address :=
"%{Packet-Src-IP-Address}"
&control:PacketFence-RPC-Server = ${rpc_host}
&control:PacketFence-RPC-Port = ${rpc_port}
&control:PacketFence-RPC-User = ${rpc_user}
&control:PacketFence-RPC-Pass = ${rpc_pass}
&control:PacketFence-RPC-Proto = ${rpc_proto}
}
rewrite_calling_station_id
rewrite_called_station_id
#
# If you receive stop packets with zero session length,
# they will NOT be logged in the database. The SQL module
# will print a message (only in debugging mode), and will
# return "noop".
#
# You can ignore these packets by uncommenting the following
# three lines. Otherwise, the server will not respond to the
# accounting request, and the NAS will retransmit.
#
if (noop) {
ok
}
# Filter attributes from the accounting response.
attr_filter.accounting_response
rest
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
# radutmp
#
# See "Simultaneous Use Checking Queries" in mods-available/sql
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Add in PacketFence configuration
update {
&request:Realm[0] !* ANY
&request:FreeRADIUS-Client-IP-Address :=
"%{Packet-Src-IP-Address}"
&control:PacketFence-RPC-Server = ${rpc_host}
&control:PacketFence-RPC-Port = ${rpc_port}
&control:PacketFence-RPC-User = ${rpc_user}
&control:PacketFence-RPC-Pass = ${rpc_pass}
&control:PacketFence-RPC-Proto = ${rpc_proto}
}
#
# For EAP-TTLS and PEAP, add the cached attributes to the reply.
# The "session-state" attributes are automatically cached when
# an Access-Challenge is sent, and automatically retrieved
# when an Access-Request is received.
#
# The session-state attributes are automatically deleted after
# an Access-Reject or Access-Accept is sent.
#
#update {
# &reply: += &session-state:
#}
rest
if (updated || ok || noop) {
request-timing
-sql
} else {
request-timing
-sql_reject
}
attr_filter.packetfence_post_auth
linelog
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
# The "session-state" attributes are not available here.
#
Post-Auth-Type REJECT {
request-timing
# log failed authentications in SQL, too.
-sql_reject
attr_filter.access_reject
attr_filter.packetfence_post_auth
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
linelog
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail-Accounting {
# detail
# }
}
}
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
