Dear Alan, Thanks for your help. Maybe I should ask the question in another way. Host B acted as both proxy/server. for realm A , -> proxy to other server for realm B -> process locally
When the auth-accept is returned to proxy ( Host B) , it will process section [post-auth] in radiusd.conf no matter what host B receive. Q1. Any method such that host B won't goes into [post-auth] when it is receiving result from another server ? Q2. In case host B cannot bypass [post-auth] when receiving result from another server, how can I define multiple sql section in [post-auth] ? As I cannot find any rule that I can set in [post-auth] such that it can go to [sql1] for realm A and [sql2] for realm B Many thanks! -----Original Message----- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, September 23, 2005 1:10 AM To: FreeRadius users mailing list Subject: Re: cannot return access accept from proxy to client "Wilson Lie" <[EMAIL PROTECTED]> wrote: > But I'm afraid that you misunderstood the question. I understood it fine. My response should have been clear. > Yes, for normal Access-Accept if Host B act as server , the > access-accept can be sent back to client The problem has NOTHING to do with host B or Access-Accept. > But when access-accept is sent from host A -> Host B , from host B debug > log, it can be seen that > as user-name is missing, the [sql] module cannot be run , No, the SQL module *is* run, but it is telling you that the query YOU CONFIGURED did not return any matches. > freeradius return failed in [sql] > where [sql] refers to post-auth query in this case and the statement > contains "User-name" attribute > (e.g. update xxx set xxx where username=attribute ) The post-auth query is updating the SQL database with data from the Access-Request packet. If that Access-Request packet does not contain a User-name, then the SQL query will not work. This has nothing to do with Access-Accept, or host A, or host B. > So I would like to ask if any special handling by freeradius in this case ? I can't parse that sentence. > As the post-auth [sql] section is configured in sql.conf and it should be > same because only one post-auth query > can be configured. You can configure multiple SQL modules, where one has a postauth_query and the other does not. See the documentation. > Or "user-name" attribute can never be included in the post-auth query in > this case ? ( i.e. Host B acts as both proxy and auth-server) It's up to YOU to decide that. That's why the queries are configurable. If the queries aren't doing what you want, edit them. If the server isn't doing what you want, edit the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ____________________________________________________________ (c) 2005 Interactive Technology Holdings Limited Group. All rights reserved. CONFIDENTIALITY: This communication and any attachment(s) is intended solely for the person or organisation to which it is addressed and it may be confidential. This communication may contain confidential or legally privileged material and may not be copied, redistributed or published (in whole or in part) without our prior written consent. This communication may have been intercepted, partially destroyed, arrive late, incomplete or contain viruses and no liability is accepted by any member of the Interactive Technology Holdings Limited Group as a result. If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient you must not copy, disclose, distribute or take any action in reliance on it. If you have received this communication in error, please immediately reply and highlight the error to the sender immediately and destroy the original from your computer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html