I am using FreeRADIUS 1.0.1 to authenticate MAC addresses (as username) from
various wireless access points. There is a master RADIUS server that
contains a list of valid usernames (MAC addresses) but I want to be able to
override that list for my local wireless access points.
I have configured FreeRADIUS to proxy requests to the master RADIUS server,
but the response of the master server is used regardless of my local users
file.
According to the doc/proxy file, the users file is to be processed as usual
after a proxy response is received. I take this to mean that a username
found in the users file will be used instead of any response given by the
master server.
What is the proper way to configure for proxy but maintain a list of users
that are accepted/rejected either without consulting the master server or
overriding the response from the master server?
Dennis Beach
Systems Engineer
RR Donnelley, Information Technology
(765) 364-4604 - phone
(765) 230-6111 - cellular
(765) 364-3056 - fax
[EMAIL PROTECTED]
---------------------------------------------
My proxy.conf file contains:
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm NULL {
type = radius
authhost = masteripaddr:1645
accthost = masteripaddr:1646
secret = wirelesslan
}
realm DEFAULT {
type = radius
authhost = LOCAL
accthost = LOCAL
}
The following is a transcript of log messages from a connection attempt:
rad_recv: Access-Request packet from host 10.225.66.156:1645, id=16,
length=102
User-Name = "00022d37685a"
User-Password = "00022d37685a"
Called-Station-Id = "0002.8a5b.3c44"
Calling-Station-Id = "0002.2d37.685a"
NAS-Port-Type = Virtual
NAS-Port = 405
NAS-IP-Address = 10.225.66.156
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "00022d37685a", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "00022d37685a"
rlm_realm: Proxying request from user 00022d37685a to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Preparing to proxy authentication request to realm "NULL"
modcall[authorize]: module "suffix" returns updated for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched 00022d37685a at 54
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 10.225.100.20:1645
User-Name = "00022d37685a"
User-Password = "00022d37685a"
Called-Station-Id = "0002.8a5b.3c44"
Calling-Station-Id = "0002.2d37.685a"
NAS-Port-Type = Virtual
NAS-Port = 405
NAS-IP-Address = 10.225.66.156
Proxy-State = 0x3136
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 10.225.100.20:1645, id=0, length=24
Proxy-State = 0x3136
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0
Login incorrect (Home Server says so): [00022d37685a/00022d37685a] (from
client cvlmfg-ap-0001 port 405 cli 0002.2d37.685a)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 16 to 10.225.66.156:1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 16 with timestamp 41ebf611
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
