blob: b6898247d52ee5f96907eda15b63bd006263b223 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
== Enabling PROXY Protocol
Now that we have a working configuration which used RadSec and HAproxy
or Traefik, we are finally ready to enable PROXY Protocol.
Configure FreeRADIUS on the `radsecsvr` host to expect the PROXY
Protocol for RadSec connections. This is done by editing the `listen
{}` section of the `tls` virtual server to include a reference to the
proxy protocol:
.Enabling PROXY Protocol in a FreeRADIUS virtual server
=======================================================
listen {
...
proxy_protocol = true
...
}
=======================================================
Now restart the debugging session:
[source,shell]
----
radiusd -fxxl /dev/stdout
----
For HAproxy, you should enable the PROXY Protocol on connections to
the RadSec backend, by editing the `backend` definition to add a
`send-proxy` argument:
.Example HAproxy backend configuration with PROXY Protocol
==========================================================
backend radsec_be
mode tcp
balance roundrobin
server radsecsvr 172.23.0.3:2083 send-proxy
==========================================================
Note the `send-proxy` argument in the `server` definition.
Now reload the HAproxy service:
[source,shell]
----
service haproxy reload
---
For Traefik, enable the PROXY Protocol on connections to the RadSec
backend by editing the `radsec-service` definition to add a reference
to the proxy protocol"
.Example Traefik service configuration with PROXY Protocol
==========================================================
radsec-service:
loadBalancer:
servers:
- address: "172.23.0.3:2083"
proxyProtocol:
version: 1
==========================================================
Note the `proxyProtocol` and `version: 1` directives.
Traefik should automatically detect the updates and reconfigure the
service.
=== Testing RadSec connectivity via a proxy using PROXY Protocol
Finally, with your test client configured to use the proxy, perform a
test authentication:
[source,shell]
----
echo "User-Name = bob" | radclient 127.0.0.1 auth testing123
----
You should expect to see the familiar output:
.Example output from radclient
==============================
Sent Access-Request Id 252 from 0.0.0.0:50118 to 127.0.0.1:1812 length 27
Received Access-Accept Id 252 from 127.0.0.1:1812 to 127.0.0.1:50118 length 39
==============================
Now examine the FreeRADIUS debug output on the RadSec server:
.Expected output from `radiusd -X` with PROXY Protocol
======================================================
...
(0) (TLS) Received PROXY protocol connection from client \
172.23.0.2:55343 -> 172.23.0.4:2083, via proxy 172.23.0.4:40268 -> 0.0.0.0:2083
...
(0) Received Access-Request Id 227 from 172.23.0.2:55343 to 172.23.0.4:2083 length 49
(0) Sent Access-Accept Id 227 from 172.23.0.4:2083 to 172.23.0.2:55343 length 0
...
======================================================
The output indicates that FreeRADIUS is receiving the originating
connection information from the PROXY Protocol. FreeRADIUS then
handles the RadSec requests as though they have been received directly
from the originating client.
|
