How to use freeradius as radius translator - freeradius

i have configured strongswan (ipsec) to send request to freeradius as eap-radius.
and i configured freeradius to send requests using proxy to another radius server. (IBSng).
but , ipsec sends as EAP and freeradius forwards the original request to ibsng. ibsng didn't understand EAP ! just need clear text password.
how can i translate EAP to clear-text password in proxy?

Related

Unsupported attribute 27 in CoA-Request from IP:PORT

I have a freeradius server setup on my ubuntu VM. My Edgecore AP is connected to a MicroTik and Laptop. I have OpenWRT running on the AP and I'm able to connect a client using WPA2 Enterprise encryption. I'm trying to send a CoA request from the VM such as "Session-Timeout" however, observing the logs on the AP, I receive the message I've included in the title. Is CoA completely unsupported or hostapd simply can't understand the incoming request?
Dynamic Authorization Extensions (RFC 5176) is default disabled in hostapd.
set radius_das_port=3799 in your conf to enable this feature.
https://web.mit.edu/freebsd/head/contrib/wpa/hostapd/hostapd.conf

How to setup HAProxy to add access token to client requests

I have a client that can only make requests without authentication information.
I would like to use HAProxy or a similar proxy solution to add OAuth authentication to these client requests.
I already succeeded to add a Bearer token to the client requests. See below for the haproxy.cfg with some placeholders.
frontend front
mode http
bind *:8080
default_backend servers
http-request add-header Authorization "Bearer {{ .Env.ACCESS_TOKEN}}"
backend servers
mode http
server server1 myserver.com:443 ssl
The problem is that the access tokens have a TTL of 24 hours. So I need to refresh them or get a new token periodically.
Does HAProxy support this already?
I can write some script to get a new access token periodically, update the config and restart HAProxy. Is this a good approach when running HAProxy in docker? Are there better solutions?
You could give a try to create/test your script using Lua, it is now supported in the latest versions, check How Lua runs in HAProxy.
An example of this but using Nginx + Lua, can be found in this project: https://github.com/jirutka/ngx-oauth

FreeRadius config: reject request upon inner-tunnel auth type is "none"

I just set up an freeradius server (Version 2.2.5) on an Raspeberian PI with DaloRadius 0.99 web interface. OS = Debian Jessy. I do not use certificates for authentification.
Everythings working fine, I restricted the used authentification types to "PEAP" for 1st authentification and the inner-tunnel (second auth to MSCHAP(V2)).
Now I recognized when I configure a client using PEAP and no inner tunnel Auth method it's although possible to dial in.
I want to restrict the second auth to only accept MSCHAP/MSCHAPV2 and not "none" as auth metohd.

freeRADIUS with LDAP SASL/Certificate based binding

I am working on freeRADIUS v1.1.7-r0.0.2 with LDAP as backend for authenticating users.
I want to configure freeRADIUS server with certificates instead of using usernames and passwords.
How to configure RADIUS+LDAP using SASL/Certificate based binding ?
Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server.
Support for SASL binding was recently added in v3.0.x, both for administrative binds, and user binds, it's not available in previous versions.
See the SASL sections in the config here
Certificated based binding has always been supported. It's configured with the certificate_file and private_key_file config items.
You cannot pass the SSL tunnel through from something like an EAP conversation.

Spring Security, OpenID, and mod_proxy

I have an application using spring-security's OpenID implementation. The app server sits behind a proxy. The proxy is apache httpd with mod_proxy. If the proxy connects to the app server via HTTP, the application will tell the OpenID authenticator to redirect back via HTTP rather than HTTPS like I would prefer. It seems to pull the protocol dynamically and only sees HTTP. If I configure the proxy to use HTTPS, I run into this problem. So is there a way to operate spring security behind a proxy which uses HTTP?
A little extra mod_proxy and Glassfish configuration solved this problem for me:
https://serverfault.com/questions/496888/ssl-issue-with-mod-proxy

Resources