Authenticate locally then proxy

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Authenticate locally then proxy

Júlíus Þór Bess Ríkharðsson
Hi,


I'm wondering if I can authenticate users locally and then proxy the
request. I'm hoping to authenticate the user on both servers, and if
both can, then reply with Access-Accept.

I've been searching around and It seems like it's only possible in
version 4 because of the way versions up to 3 do proxying. Am I wrong?

I'm hoping that it's possible somehow using unlang in version 3.


The reason for doing this is I want to continue authenticating users
locally (AD as users db) and then proxy the request for MFA/2FA push
notifications.


Kær kveðja / best regards
Júlíus Þór Ríkarðsson
Kær kveðja / Best regards
Júlíus Þór Bess Ríkharðsson
Sérfræðingur / Networking Expert
Net- og samskiptalausnir / Network and telecommunication
[hidden email] / www.origo.is
Tel.: +354 516 1000
Fyrirvari / Disclaimersig1

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

image814246.png (2K) Download Attachment
image760087.png (818 bytes) Download Attachment
image094970.png (1K) Download Attachment
image547665.png (912 bytes) Download Attachment
image364116.png (1002 bytes) Download Attachment
image386879.png (970 bytes) Download Attachment
image305868.png (6K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Authenticate locally then proxy

Alan DeKok-2
On Jun 22, 2020, at 10:22 AM, Júlíus Þór Bess Ríkharðsson <[hidden email]> wrote:
> I'm wondering if I can authenticate users locally and then proxy the
> request. I'm hoping to authenticate the user on both servers, and if
> both can, then reply with Access-Accept.

  The answer is "it depends".

  For EAP? No.  For PAP?  Probably.  MS-CHAP?  Likely not.

> I've been searching around and It seems like it's only possible in
> version 4 because of the way versions up to 3 do proxying. Am I wrong?

  It's certainly a lot easier in v4.  i.e. pretty much trivial.

> I'm hoping that it's possible somehow using unlang in version 3.
>
>
> The reason for doing this is I want to continue authenticating users
> locally (AD as users db) and then proxy the request for MFA/2FA push
> notifications.

  Is the server receiving User-Password attributes?  If so, it should be relatively simple.  Otherwise, it may be a lot more difficult.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html