Jacques Caruso <[EMAIL PROTECTED]> wrote: > OK. I still haven't managed to get the damn solution working, even with > the helpful hints from Chris and Alan, and even after trying very hard I > still get proxy calls (and subsequent Access-Reject) for people who > shouldn't trigger them. Here is what I finally put in radgroupcheck : > > mysql> SELECT * FROM radgroupcheck WHERE GroupName='internix'; > +----+-----------+-------------------+-------+------+ > | id | GroupName | Attribute | Value | op | > +----+-----------+-------------------+-------+------+ > | 6 | internix | No-Such-Attribute | | := |
What the heck is that line for? > # This is the one that should be triggering the proxying. Note I was > # under the impression from Alan's message that telling the program that > # the Auth-Type was Local and there was no fall-through would be enough > # but since it didn't work, I added that condition (without success :-( > DEFAULT Auth-Type != Local, Proxy-To-Realm += "alien" That won't work, unfortunately. The '!=' check for Auth-Type isn't supported. > And the 'authorize' section in radiusd.conf is like : > > authorize { > preprocess > sql > files > suffix > } That means pass the users through 'files', and then ALSO through 'suffix'. The 'Fall-Through = Yes' attribute works ONLY inside of the 'users' file, and doesn't affect the handling of the 'authorize' section. What you want to do here is read 'doc/configurable_failover', which allows you to set up fail-over of fall-through between different modules in 'authorize' > I'm clearly missing something. But what ? I tried all sort of weird > things to avoid this problem (a Proxy-To-Realm attribute pointing all > group members to a fake realm with a LOCAL authhost, for example) That should work. > modcall: group authorize returns ok > Sending Access-Request of id 1 to xxx.xx.xxx.xx:1812 > ^^^^^^^^^^^^^^^^^^ > ... but the software insists to proxy > the request anyway (?!?!?). Something, somewhere, is telling it to proxy that request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html