> "Ed Henderson" <[EMAIL PROTECTED]> wrote: > > From what I can tell it appears that if a request is proxied then > > freeradius does not use checkrad and automatically denies > request. Is > > this how it is designed? Or am I missing something? > > The software is designed that way because the network is > designed that way. > > checkrad checks NASes. It can't check RADIUS servers, because there > is no way to ask a RADIUS server if a user is still online. Checkrad > can't check the NASes of the other RADIUS servers, as those NASes > don't know who you are, they only know the RADIUS servers > they talk to. > > Alan DeKok. >
I understand that it can't ask a radius server but is it possible to have it check the original nas instead? I do have the client info for the NASes of the other server so that they can know who our radius server is. I did see an option in an older(?) clients.conf file comments but do not see this in the latest file: # If this is defined as "client foo" then the hostname/ipaddr "foo" # will be looked up according to the source IP address of the radius # rqeuest packet, and the secret here will be used to check the # integrety of the request. # # If this is defined as "nas foo" then foo will be looked up first # as the NAS-IP-Address in the radius request, then as the NAS-Ident # in the radius request. # # Normally you'd use "client" unless the request came in through a # proxy server and you want to define a short name for the NAS # for logging purposes, or you want to do a "checkrad" back to the # original NAS and not to the proxy radius server! I assume the "nas" feature is no longer valid? If so this would solve my issue. -- Ed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
