[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Proxying multiple times to virtual and external servers
From: Alan Buxey <A.L.M.Buxey () lboro ! ac ! uk>
Date: 2012-05-24 16:04:49
Message-ID: 64DF0684-1092-4F87-8485-D161CBD512C4 () lboro ! ac ! uk
[Download RAW message or body]
[Attachment #2 (text/plain)]
From my mobile. So terse...
if("%{Called-Station-Id}" =~ /:eduroam$/){
update control {
proxy-to-server = eduroam
}
}
...or such (there will be some lexical errors above)
Search the mail Archives as there have been similar discussions
PS its 'eduroam', NEVER a capital E
alan
--
This smartphone has free WiFi worldwide with eduroam, now that IS smart
----- Reply message -----
From: "Graeme Hamilton" <g.j.hamilton@stir.ac.uk>
Date: Thu, May 24, 2012 15:36
Subject: Proxying multiple times to virtual and external servers
To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org>
Hello,
I'm configuring FreeRADIUS (2.1.12) for use as part of our Eduroam deployment. We're \
using EAP-MSCHAPv2 authentication, so I've got both an outer and inner virtual server \
configured and working correctly. Currently, the outer server configuration \
(configured as default i.e. without a 'server' stanza) assumes that connections from \
our wireless controller clients are only ever Eduroam-related, and it processes them \
accordingly - does realm checks, proxy logic, mandatory logging, etc. This is \
acceptable for now, since Eduroam is currently the only wireless service we provide \
which uses 802.1X authentication.
Ideally, I'd like a generic default virtual server which would process all \
authentications initially, but which would act upon the suffix (e.g. ':eduroam') \
appended to the Called-Station-Id by our wireless controllers to proxy the request \
off to another virtual server dedicated to that particular function, where further \
actions specific to that purpose can be carried out. Reading the comments in \
proxy.conf suggests that it's possible to proxy requests containing a particular \
realm off to another virtual server, but that such requests cannot subsequently be \
proxied again. This would break Eduroam, since visitors to our campus need to have \
their requests proxied off to the national proxy servers once we've processed them.
Is there any way to achieve this functionality whilst retaining the ability to proxy \
requests multiple times, or should I just dedicate the whole FreeRADIUS instance to \
Eduroam and use the functionality of our wireless controllers to direct \
authentication attempts on specific SSIDs to specific RADIUS server groups, if and \
when the need arises?
Regards,
Graeme
Graeme Hamilton
Senior Network Specialist
Information Services
University of Stirling
--
The Sunday Times Scottish University of the Year 2009/2010
The University of Stirling is a charity registered in Scotland,
number SC 011159.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Attachment #3 (text/html)]
From my mobile. So terse...<br><br>if("%{Called-Station-Id}" =~ \
/:eduroam$/){<br>update control {<br> proxy-to-server = eduroam<br> \
}<br>}<br><br>...or such (there will be some lexical errors \
above)<br><br>Search the mail Archives as there have been similar \
discussions<br><br>PS its 'eduroam', NEVER a capital \
E<br><br><br>alan<br><br>--<br>This smartphone has free WiFi worldwide with eduroam, \
now that IS smart<br><br>----- Reply message -----<br>From: "Graeme \
Hamilton" <g.j.hamilton@stir.ac.uk><br>Date: Thu, May 24, 2012 \
15:36<br>Subject: Proxying multiple times to virtual and external servers<br>To: \
"freeradius-users@lists.freeradius.org" \
<freeradius-users@lists.freeradius.org><br><br>Hello,<br><br>I'm \
configuring FreeRADIUS (2.1.12) for use as part of our Eduroam deployment. We're \
using EAP-MSCHAPv2 authentication, so I've got both an outer and inner virtual \
server configured and working correctly. Currently, the outer server configuration \
(configured as default i.e. without a 'server' stanza) assumes that \
connections from our wireless controller clients are only ever Eduroam-related, and \
it processes them accordingly - does realm checks, proxy logic, mandatory logging, \
etc. This is acceptable for now, since Eduroam is currently the only wireless service \
we provide which uses 802.1X authentication.<br><br>Ideally, I'd like a generic \
default virtual server which would process all authentications initially, but which \
would act upon the suffix (e.g. ':eduroam') appended to the Called-Station-Id \
by our wireless controllers to proxy the request off to another virtual server \
dedicated to that particular function, where further actions specific to that purpose \
can be carried out. Reading the comments in proxy.conf suggests that it's \
possible to proxy requests containing a particular realm off to another virtual \
server, but that such requests cannot subsequently be proxied again. This would break \
Eduroam, since visitors to our campus need to have their requests proxied off to the \
national proxy servers once we've processed them.<br><br>Is there any way to \
achieve this functionality whilst retaining the ability to proxy requests multiple \
times, or should I just dedicate the whole FreeRADIUS instance to Eduroam and use the \
functionality of our wireless controllers to direct authentication attempts on \
specific SSIDs to specific RADIUS server groups, if and when the need \
arises?<br><br>Regards,<br>Graeme<br><br>Graeme Hamilton<br>Senior Network \
Specialist<br>Information Services<br>University of Stirling<br><br><br>-- <br>The \
Sunday Times Scottish University of the Year 2009/2010<br>The University of Stirling \
is a charity registered in Scotland, <br> number SC 011159.<br><br>-<br>List \
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--===============3069449092778280363==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic