Hi!
I tried to setup freeradius to proxy based on prefix and suffix the
same time, where prefix has preference. There are accounts like:
[EMAIL PROTECTED] (should go to isp 1)
[EMAIL PROTECTED] (should go to GRIC)
username (should go to our own radiusd on another machine)
In radiusd.conf i've:
authorize {
preprocess
realmslash
suffix
files
}
...
preacct {
realmslash
suffix
files
preprocess
}
In proxy.conf i've:
realm isp1 {
# for isp 1
type = radius
authhost = x.x.x.x:1812
accthost = x.x.x.x:1813
secret = xyz
nostrip
}
realm NULL {
# own radius-server
type = radius
authhost = y.y.y.y:1812
accthost = y.y.y.y:1813
secret = xyz
}
realm DEFAULT {
# for GRIC
type = radius
authhost = z.z.z.z:1812
accthost = z.z.z.z:1813
secret = xyz
nostrip
}
The users-file is empty, because all authentication should by done
be other radius-servers.
The problem is now, that like above only isp1 and our own
accounts are working, but not GRIC.
He are the log entries when dialing in with a GRIC-account:
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Proxying request from user [EMAIL PROTECTED] to
realm NULL
modcall[authorize]: module "realmslash" returns updated
rlm_realm: Proxying request from user username to realm
DEFAULT
modcall[authorize]: module "suffix" returns updated
modcall[authorize]: module "files" returns notfound
modcall: group authorize returns updated
Sending Access-Request of id 4 to y.y.y.y:1812
So far as i understood this log the realm has been set to
DEFAULT. But Access-Request gets sent to our own radius-server
anyway, and not to the GRIC-servers.
If i change radiusd.conf to put suffix before realmslash (which
shouldn't be correct i think), then GRIC and our own accounts are
working, but isp1 no longer. Then the requests for ISP1 are getting
sent to our own server and not to ISP1.
And ideas? What did i wrong?
A second point:
To overcome the problem above myself i removed the prefix-
checking from radiusd.conf, so that only suffix-checking remains,
and put a entry in the users-file like
DEFAULT User-Name =~ "^isp1/", proxy-to-realm := "isp1"
Fall-Through = No
for doing the prefix check.
No i was happy first, because authentication works now for all
three login-types. But in the case of isp1 only authentication is
correct, but accounting not. Accounting records are not sent to
isp1 but to the default-server, which is the wrong one.
Does the "proxy-to-realm" only change authentication but not
accounting?
Thanks for any help!
Bernd
____________________________________________________________
Bernd Sontheimer phone +49 7361 93810
Sontheimer Datentechnik GmbH fax +49 7361 938181
Ulmer Str. 130 e-Mail [EMAIL PROTECTED]
73431 Aalen, Germany http://www.sdt.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
