At 08:25 PM 2/6/2003 +0100, Jacques Caruso wrote:
OK. I still haven't managed to get the damn solution working, even with the helpful hints from Chris and Alan, and even after trying very hard I still get proxy calls (and subsequent Access-Reject) for people who shouldn't trigger them. Here is what I finally put in radgroupcheck :mysql> SELECT * FROM radgroupcheck WHERE GroupName='internix'; +----+-----------+-------------------+-------+------+ | id | GroupName | Attribute | Value | op | +----+-----------+-------------------+-------+------+ | 6 | internix | No-Such-Attribute | | := |
Huh? How can you think this is a valid entry?
# This one is special for one of our customers DEFAULT Service-Type == Call-Check, Auth-Type += Accept
Probably want that to be :=, not +=.
# This is the one that should be triggering the proxying. Note I was # under the impression from Alan's message that telling the program that # the Auth-Type was Local and there was no fall-through would be enough # but since it didn't work, I added that condition (without success :-( DEFAULT Auth-Type != Local, Proxy-To-Realm += "alien"
Again, you'll probably want :=, not +=. I also don't think this will work the way that you want it to.
The proxy.conf has only one realm : alien { type = radius authhost = xxx.xx.xxx.xx:1812 accthost = xxx.xx.xxx.xx:1813 secret = xxxxxxxxx }
Why not just put a DEFAULT entry in your 'proxy.conf' file?
And here is what happens when I try to authenticate a local user with that configuration : rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok users: Matched DEFAULT at 216
What entry exists at line 216 of the users file. Is it the one you want to match?
You're telling it to via your 'Proxy-To-Realm' check-item in themodcall[authorize]: module "files" returns ok rlm_realm: No '@' in User-Name = "xxxxxxxxxx", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop modcall: group authorize returns ok Sending Access-Request of id 1 to xxx.xx.xxx.xx:1812 ^^^^^^^^^^^^^^^^^^ ... but the software insists to proxy the request anyway (?!?!?).
users file. You need to work on that DEFAULT entry at line 216, so
that it doesn't match when you don't want it to.
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html