Hi all, I am trying to use a FreeRadius server as a proxy server using the realm. Apparently my configuration is working for the Access-Request messages, but not for the Accounting-request messages.
The proxy.conf is very simple: realm test.com { type = radius authhost = NNN.NNN.NN5.7:1812 accthost = NNN.NNN.NN5.7:1813 secret = ****** ldflag = round_robin nostrip } With this configuration, the access request messages are sent to the proper server, as you can see in the next radiusd –X output: We receive the message from the PDSN: Waking up in 1 seconds... rad_recv: Access-Request packet from host 172.17.7.214:32786, id=6, length=337 Calling-Station-Id = "310008172268681" User-Name = "8177899...@test.com" NAS-IP-Address = 172.17.7.214 NAS-Identifier = "bws" The radius sent it to the proper server: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 radius_xlat: '/usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528' rlm_detail: /usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/freeRadius/log/radius/radacct/172.17.7.214/auth-detail-20090528 modcall[authorize]: module "auth_log" returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '/' in User-Name = "8177899...@test.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "IPASS" returns noop for request 2 rlm_realm: Looking up realm "test.com" for User-Name ="8177899...@test.com" rlm_realm: Found realm "test.com" rlm_realm: Proxying request from user 8177899857 to realm test.com rlm_realm: Adding Realm = "test.com" rlm_realm: Preparing to proxy authentication request to realm "test.com" modcall[authorize]: module "suffix" returns updated for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 radius_xlat: '8177899...@test.com' rlm_sql (sql): sql_set_user escaped user --> '8177899...@test.com' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '8177899...@test.com' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '8177899...@test.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY usergroup.priority, radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '8177899...@test.com' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '8177899...@test.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY usergroup.priority, radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 2 radius_xlat: '/usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528' rlm_detail: /usr/freeRadius/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /usr/freeRadius/log/radius/radacct/172.17.7.214/pre-proxy-detail-20090528 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 2 modcall: leaving group pre-proxy (returns ok) for request 2 Sending Access-Request of id 1 to NNN.NNN.NN5.7 port 1812 Calling-Station-Id = "310008172268681" User-Name = "8177899...@test.com" NAS-IP-Address = 172.17.7.214 The problem arises, when the same PDSN ask for an Accounting-Request and the server. The server replies that the shared-key is not correct. Waking up in 2 seconds... rad_recv: Accounting-Request packet from host 172.17.7.214:32786, id=7, length=735 Received Accounting-Request packet from 172.17.7.214 with invalid signature! (Shared secret is incorrect.) Dropping packet without response. Finished request 3 The shared key configured is one per node in both the radius and the PDSN; so it is difficult for me to understand this behavior. Is there any configuration missing? Is it possible that the freeradius server is not checking shared key when sending the access-request message to it’s destination and checking the key while processing the accounting-request? Regards, K -- View this message in context: http://www.nabble.com/Access-proxied%2C-Accounting-not-proxied-tp23769897p23769897.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html