FreeRADIUS and RSA RADIUS Server
A.Cudbard-Bell at sussex.ac.uk
Tue Feb 5 16:07:10 CET 2008
Jakub Morávek wrote:
> Firs of all thanks for your reply. I'll try to be more specific.
> On Feb 5, 2008 2:58 PM, Alan DeKok <aland at deployingradius.com
> <mailto:aland at deployingradius.com>> wrote:
> Jakub Morávek wrote:
> > I have not many experiences with radius, so my question may be
> > stupid. Has anybody experience with using freeradius (Version
> 1.1.3 in
> > Debian Sarge) as proxy for RSA RADIUS Server included in RSA
> > Authentication Manager 6.1?
> Many people have tried this. It works.
> I know, but I did not find anyone who discussed this problem.
> > When authentication request goest through freeradius proxy, RSA
> > thinks that Agent host is my freeradius proxy instead of
> original host
> > which sent authenticate request.
> I don't know what an "Agent host" is. FreeRADIUS *is* a RADIUS
> to the RSA manager.
> In RSA terminology "Agent hosts" is host which sends authetication
> For example, if you want to setup "ssh-server" to authenticate ssh
> login against RSA, you have to add "ssh-server" (name and it's ip
> address) into RSA database and setup list of users, which are allowed
> to log into "ssh-server".
> If "user1" tries to access "ssh-server", "ssh-server" sends
> authentication request to RSA.
> RSA looks into database if "user1" is allowed to log into "ssh-server"
> In my case RSA rejects "user1" access, because RSA thikns, that
> "user1" wants to log into "freeradius" and there is no "freeradius"
> Agent host defined in RSA database.
> > Does this mean, that freeradius process all attributes from
> > pre-proxy-detail-20080204 log, but sends only attributes, which are
> > shown in extended debug mode? If so, can anybody give me any
> advice how
> > can I configure freeradius to send more attributes?
> To do... what?
> My idea is that freeradius does not send Client-IP-Address attribute
> and therefore RSA RADIUS determines that original host is freeradius
> proxy server.
Erm no, your wrong 'Client-IP-Address' in an internal FreeRADIUS
attribute. If it was sent the Funk RADIUS server wouldn't understand
it... but it's not sent as all FR internal attributes are filtered out.
The RSA Funk Sever determines Agent Host identity from the UDP Packet
Header, not any of the attributes inside the RADIUS Packet. It could in
theory use NAS-IP-Address as an identifier, but I doubt it does.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users