FreeRadius 2.1.8 and MySQL
All, I have a 2.1.8 freeradius server running and have recently added MySQL into the mix. I am attempting to authenticate a user via EAP-TTLS with a PAP inner (for simplicities sake atm). The user is valid, in the DB with Cleartext-Password, and auths fine when doing a radtest (PAP), however, when EAP-TTLS is thrown in the mix it fails with the following no auth type config'd error. I also attempted to place an Auth-Type == PAP into the DB, but that didn't help the EAP auth. When I remove MySQL, and revert to the users file, the user auths fine even with EAP-TTLS and a PAP inner. I have been scratching my head on this one trying different settings and DB entries and looking at the logs, but am failing to see what I am missing. Any ideas? Thanks, John ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = testing, looking up realm NULL [suffix] Found realm NULL [suffix] Adding Stripped-User-Name = testing [suffix] Adding Realm = NULL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [testing/password] (from client purewave port 0 cli 00:1d:8f:00:03:4d via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instance of proxy
This configuration is located in proxy.conf. To proxy any @MYREALM1 requests to one server, and @MYREALM2 to another, you would enter something like the following in that file realm MYREALM1 { authhost= radius.company1.com:1600 accthost= radius.company1.com:1601 secret = testing123 nostrip } realm MYREALM2 { authhost= radius.company2.com:1812 accthost= radius.company2.com:1813 secret = testing123 nostrip } There are a lot of options, but it is explained in great detail in proxy.conf. Hope that helps. John On Fri, Apr 23, 2010 at 8:38 AM, brisston...@free.fr wrote: Selon Alan DeKok al...@deployingradius.com: brisston...@free.fr wrote: I have a question about proxy request with freeradius : is it possible to run multiple instance of proxy (not the same but the same daemon) which use different realm configuration. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks but... can you explain me how can I do? I try to put realm section in server section but it doesn't work. Can you help me please? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy with 802.1x termination
Thanks for the tips guys. Been doing some more digging and learning a lot... but maybe I should take a step back here and explain what I am trying to accomplish My client Ubiquity Nanostation only supports EAP-TTLS MSCHAPv2. My NAS, only supports access-requests using PAP/CHAP passwords in clear-text. I am attempting to setup a Radius Proxy that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication. The more I read, the more I am getting the impression that this is not possible. Is that the case? John On Wed, Jan 6, 2010 at 3:43 PM, Alan DeKok al...@deployingradius.com wrote: John Gammons wrote: After doing some more digging, I think I am catching onto this... somewhat. It sounds like I need to have the Radius Proxy, authenticate the Outer Identity of the EAP-TTLS session locally, while the Inner Identity is proxied to the Home Radius server. Yes. I have setup the Outer identity to be anonym...@outer which is proxied to LOCAL, Er... no. Don't proxy it. while the Inner identity is @inner and proxied to Home Radius. The problem is that when I run radiusd -x, I never see the @outer message, so the @inner is getting forwarded as an EAP, instead of only as a MS-CHAP-V2. See eap.conf, proxy_tunneled_request_as_eap. Anyone know what I am overlooking? I have a crude understanding of this entire process at best, I know. :) See doc/aaa.txt for a simple introduction to the process. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy with 802.1x termination
Sorry, by NAS I was referring to the Home Radius Server (guess my terminology was incorrect), but I guess that answers the question anyways. John On Thu, Jan 7, 2010 at 12:55 PM, Alan DeKok al...@deployingradius.com wrote: John Gammons wrote: My client Ubiquity Nanostation only supports EAP-TTLS MSCHAPv2. My NAS, only supports access-requests using PAP/CHAP passwords in clear-text. What does that mean? I am attempting to setup a Radius Proxy that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication. The NAS is a RADIUS client. It originates Access-Requests. It doesn't receive them, and it definitely doesn't do authentication. The more I read, the more I am getting the impression that this is not possible. Is that the case? You can't convert MS-CHAP into PAP or CHAP. And I have no idea what you mean when you say the NAS does authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy with 802.1x termination
After doing some more digging, I think I am catching onto this... somewhat. It sounds like I need to have the Radius Proxy, authenticate the Outer Identity of the EAP-TTLS session locally, while the Inner Identity is proxied to the Home Radius server. I have setup the Outer identity to be anonym...@outer which is proxied to LOCAL, while the Inner identity is @inner and proxied to Home Radius. The problem is that when I run radiusd -x, I never see the @outer message, so the @inner is getting forwarded as an EAP, instead of only as a MS-CHAP-V2. Anyone know what I am overlooking? I have a crude understanding of this entire process at best, I know. :) John On Tue, Jan 5, 2010 at 12:08 PM, jgamm...@gmail.com wrote: I am attempting to configure freeradius to terminate an 802.1x EAP-TTLS authentication, but forward/proxy the user/pass to another radius server. I can get it to standard proxy, and I can get it to function as a standalone radius server with EAP-TTLS, but can't seem to find any good information on how to do this I assume someone has been there done that... any help would be greatly appreciated. Thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html