Re: Proxying problems (or utter stupidity ?) again...

[Chris Parker]

At 08:25 PM 2/6/2003 +0100, Jacques Caruso wrote:

OK. I still haven't managed to get the damn solution working, even with
the helpful hints from Chris and Alan, and even after trying very hard I
still get proxy calls (and subsequent Access-Reject) for people who
shouldn't trigger them. Here is what I finally put in radgroupcheck :

mysql> SELECT * FROM radgroupcheck WHERE GroupName='internix';
+----+-----------+-------------------+-------+------+
| id | GroupName | Attribute         | Value | op   |
+----+-----------+-------------------+-------+------+
|  6 | internix  | No-Such-Attribute |       | :=   |

Huh?  How can you think this is a valid entry?

# This one is special for one of our customers
DEFAULT Service-Type == Call-Check, Auth-Type += Accept

Probably want that to be :=, not +=.

# This is the one that should be triggering the proxying. Note I was
# under the impression from Alan's message that telling the program that
# the Auth-Type was Local and there was no fall-through would be enough
# but since it didn't work, I added that condition (without success :-(
DEFAULT Auth-Type != Local, Proxy-To-Realm += "alien"

Again, you'll probably want :=, not +=.  I also don't think this will
work the way that you want it to.

The proxy.conf has only one realm :

alien {
        type            = radius
        authhost        = xxx.xx.xxx.xx:1812
        accthost        = xxx.xx.xxx.xx:1813
        secret          = xxxxxxxxx
}

Why not just put a DEFAULT entry in your 'proxy.conf' file?

And here is what happens when I try to authenticate a local user with
that configuration :

rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok
    users: Matched DEFAULT at 216

What entry exists at line 216 of the users file.  Is it the one you
want to match?

  modcall[authorize]: module "files" returns ok
    rlm_realm: No '@' in User-Name = "xxxxxxxxxx", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop
modcall: group authorize returns ok
Sending Access-Request of id 1 to xxx.xx.xxx.xx:1812
                                  ^^^^^^^^^^^^^^^^^^
                                  ... but the software insists to proxy
                                  the request anyway (?!?!?).

You're telling it to via your 'Proxy-To-Realm' check-item in the
users file. You need to work on that DEFAULT entry at line 216, so
that it doesn't match when you don't want it to.
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net



- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html