User and EAP authentication

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

User and EAP authentication

Thomas Manninger
   Hi,

   i am using freeradius 3.0.12+dfsg-5+deb9u1 on a debian 9 server.

   I confiured two virutal servers, one for X802.1 network authentication
   (name: inner-tunnel), another virtual server with PAP username/password
   authentication (name: keycloak).

   Every incoming request should processed by the virtual_server
   "keycloak-auth", except all X802.1 request should be processed to the
   virtual_server "inner-tunnel".
   But all requests, also the X802.1 requests, are processed by the
   virtual_server keycloak.

   If i unterstand it correctly, the eap module should send all EAP
   requests to the inner-tunnel, but this in not working :-( ...
   Only if i send all requests to the inner-tunnel virtual-server, then
   X802.1 auth is working

   How can i fix the issue?

   My listen configuration:
   > listen {
   >   type = auth
   >   ipaddr = *
   >   port = 0
   >   virtual_server = keycloak
   > }
   > listen {
   >   type = acct
   >   ipaddr = *
   >   ipv6addr = ::
   >   port = 0
   >   virtual_server = keycloak
   > }

   My keycloak size:
   > server keycloak {
   >   authorize {
   >     files
   >     filter_username
   >     filter_password
   >     preprocess
   >     expiration
   >     logintime
   >     keycloak
   >   }
   >   authenticate {
   >     Auth-Type keycloak {
   >       keycloak
   >     }
   >     Auth-Type pap {
   >       pap
   >     }
   >  }
   >  ...
   >  ...



   Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User and EAP authentication

Alan DeKok-2
On Mar 18, 2020, at 11:18 AM, Thomas Manninger <[hidden email]> wrote

> I confiured two virutal servers, one for X802.1 network authentication
>
>   (name: inner-tunnel), another virtual server with PAP username/password
>   authentication (name: keycloak).
>
>   Every incoming request should processed by the virtual_server
>   "keycloak-auth", except all X802.1 request should be processed to the
>   virtual_server "inner-tunnel".

  That’s not how virtual servers work. The listen section has no configuration which tells the server to do that.

>   But all requests, also the X802.1 requests, are processed by the
>   virtual_server keycloak.

  Yes, that’s how virtual server work.

>   If i unterstand it correctly, the eap module should send all EAP
>   requests to the inner-tunnel, but this in not working :-( ...

  No, the eap module will send “inner” authentication data to the inner-tunnel virtual server.  But the eap module still has to run in a separate virtual server.

  The default examples and comments explain this fairly well.

>   Only if i send all requests to the inner-tunnel virtual-server, then
>   X802.1 auth is working
>
>   How can i fix the issue?

  Configure the server correctly. Add the eap module to the “outer” virtual server.

  The default configuration does this for a reason. There’s no documentation which says that the “listen” sections work like you want.

>   My listen configuration:
>> listen {
>>  type = auth
>>  ipaddr = *
>>  port = 0
>>  virtual_server = keycloak
>> }

  There’s no magic there which says “run eap through a different virtual server”




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html