Hi! I tried to setup freeradius to proxy based on prefix and suffix the same time, where prefix has preference. There are accounts like:
[EMAIL PROTECTED] (should go to isp 1) [EMAIL PROTECTED] (should go to GRIC) username (should go to our own radiusd on another machine) In radiusd.conf i've: authorize { preprocess realmslash suffix files } ... preacct { realmslash suffix files preprocess } In proxy.conf i've: realm isp1 { # for isp 1 type = radius authhost = x.x.x.x:1812 accthost = x.x.x.x:1813 secret = xyz nostrip } realm NULL { # own radius-server type = radius authhost = y.y.y.y:1812 accthost = y.y.y.y:1813 secret = xyz } realm DEFAULT { # for GRIC type = radius authhost = z.z.z.z:1812 accthost = z.z.z.z:1813 secret = xyz nostrip } The users-file is empty, because all authentication should by done be other radius-servers. The problem is now, that like above only isp1 and our own accounts are working, but not GRIC. He are the log entries when dialing in with a GRIC-account: modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Proxying request from user [EMAIL PROTECTED] to realm NULL modcall[authorize]: module "realmslash" returns updated rlm_realm: Proxying request from user username to realm DEFAULT modcall[authorize]: module "suffix" returns updated modcall[authorize]: module "files" returns notfound modcall: group authorize returns updated Sending Access-Request of id 4 to y.y.y.y:1812 So far as i understood this log the realm has been set to DEFAULT. But Access-Request gets sent to our own radius-server anyway, and not to the GRIC-servers. If i change radiusd.conf to put suffix before realmslash (which shouldn't be correct i think), then GRIC and our own accounts are working, but isp1 no longer. Then the requests for ISP1 are getting sent to our own server and not to ISP1. And ideas? What did i wrong? A second point: To overcome the problem above myself i removed the prefix- checking from radiusd.conf, so that only suffix-checking remains, and put a entry in the users-file like DEFAULT User-Name =~ "^isp1/", proxy-to-realm := "isp1" Fall-Through = No for doing the prefix check. No i was happy first, because authentication works now for all three login-types. But in the case of isp1 only authentication is correct, but accounting not. Accounting records are not sent to isp1 but to the default-server, which is the wrong one. Does the "proxy-to-realm" only change authentication but not accounting? Thanks for any help! Bernd ____________________________________________________________ Bernd Sontheimer phone +49 7361 93810 Sontheimer Datentechnik GmbH fax +49 7361 938181 Ulmer Str. 130 e-Mail [EMAIL PROTECTED] 73431 Aalen, Germany http://www.sdt.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html