Jacques Caruso <[EMAIL PROTECTED]> wrote:
> OK. I still haven't managed to get the damn solution working, even with
> the helpful hints from Chris and Alan, and even after trying very hard I
> still get proxy calls (and subsequent Access-Reject) for people who
> shouldn't trigger them. Here is what I finally put in radgroupcheck :
>
> mysql> SELECT * FROM radgroupcheck WHERE GroupName='internix';
> +----+-----------+-------------------+-------+------+
> | id | GroupName | Attribute | Value | op |
> +----+-----------+-------------------+-------+------+
> | 6 | internix | No-Such-Attribute | | := |
What the heck is that line for?
> # This is the one that should be triggering the proxying. Note I was
> # under the impression from Alan's message that telling the program that
> # the Auth-Type was Local and there was no fall-through would be enough
> # but since it didn't work, I added that condition (without success :-(
> DEFAULT Auth-Type != Local, Proxy-To-Realm += "alien"
That won't work, unfortunately. The '!=' check for Auth-Type isn't
supported.
> And the 'authorize' section in radiusd.conf is like :
>
> authorize {
> preprocess
> sql
> files
> suffix
> }
That means pass the users through 'files', and then ALSO through
'suffix'.
The 'Fall-Through = Yes' attribute works ONLY inside of the 'users'
file, and doesn't affect the handling of the 'authorize' section.
What you want to do here is read 'doc/configurable_failover', which
allows you to set up fail-over of fall-through between different
modules in 'authorize'
> I'm clearly missing something. But what ? I tried all sort of weird
> things to avoid this problem (a Proxy-To-Realm attribute pointing all
> group members to a fake realm with a LOCAL authhost, for example)
That should work.
> modcall: group authorize returns ok
> Sending Access-Request of id 1 to xxx.xx.xxx.xx:1812
> ^^^^^^^^^^^^^^^^^^
> ... but the software insists to proxy
> the request anyway (?!?!?).
Something, somewhere, is telling it to proxy that request.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
